[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DDoS Mitigation Survey
On Mon, 7 Mar 2005, Christopher L. Morrow wrote:
Loose should provide you the ability to 'anti-spoof' a customer link,
where 'anti-spoof' would mean: "drop anything not in the global table, or
which has an adjacency which is 'discard'" (discard/null/bad/reject...
invalid) This seems nice, but the trade-off isn't something I see
worthwhile if your gear can't do this in hardware. uRPF can be very, very
dangerous on software based platforms :(
But this isn't "anti-spoof" at all, because the customer can just
spoof a _routed_ address instead. Maybe it could be characterized as,
"the customer sending us traffic it definitely shouldn't be sending
us", triggering investigation what's going on.
But as you state, the customers typically send you private IP
addresses etc. as well, so this is more of a check whether the
customer has done some amount of filtering himself, nothing more.
This is what RFC3704 section 2.4 says:
If other approaches are unsuitable, loose RPF could be used as a form
of contract verification: the other network is presumably certifying
that it has provided appropriate ingress filtering rules, so the
network doing the filtering need only verify the fact and react if
any packets which would show a breach in the contract are detected.
Of course, this mechanism would only show if the source addresses
used are "martian" or other unrouted addresses -- not if they are
from someone else's address space.
.. but this has nothing to do with real anti-spoofing..
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings