How to filter spoofed packets:
1. Packet arrives
2. Remember what interface number the packet arrived on
3. Do a route lookup of the SOURCE address, especially take note of
the interface number for the route.
4. Compare the interface numbers learned in 2 and 3. If they don't
match up, either someone is lying, or your routing tables are
screwed up (assume the earlier and chuck the packet).
Not too hard eh? :-)
Yes, I know this will cause double route lookups. In a system
with MANY routes, this is undesirable. The load may however
be reduced by creating a phony simplified route list for the
purpose of spoof checks, which doesn't take next hop gateways into
account but only interfaces. Doing this, you can probably combine
a lot of the routes and hence reduce load.
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
