In message <[EMAIL PROTECTED]> Per Heldal writes: > > > On Wed, 2006-09-27 at 12:41 -0400, Curtis Villamizar wrote: > > In message <[EMAIL PROTECTED]> > > Iljitsch van Beijnum writes: > > > =20 > > > Now if this proposed wg can find a way for me to recognized spoofed =20 > > > packets when they enter my networks without cooperation from the =20 > > > source and intermediate networks, I'm all ears. > >=20 > >=20 > > Create a filter at each ingress to your network taking unassigned (and > > optionally also unreachable) address space. The minimal data > > collection is incrementing a counter. You may also want to blackhole > > the traffic with invalid source address but you don't need to do that > > to do the data collection. Just counting the filter hits may be all > > you want to do. If you see a spike in that traffic, notify the peer. > > If they do the same, it leads back toward the source of spoofed > > attacks.=20 > > That's not the universal method Iljitsch asked for. What about attacks > spoofing the victim (valid address), using reflection and/or > amplification through services like e.g. DNS? > > Methods like the detection and peer notification you describe involve > manual operations. That's nowhere near the sub-second response-times > you'd expect from modern network services. > > //per
OK. You are looking for a test that can be made at forwarding time - sort of a "perfect RPF". Unfortunately assymetric routes may make a perfect RPF infeasible. For the above cases, for your single homed direct customers you can not accept traffic with their source addresses but soon this becomes a rather large and hard to maintain filter. Maybe if you had a "single homed customer" BGP community you could install RPF-like filters blocking traffic with source addresses for each prefix with this community and protecting your own single homed customers. Does that help? Curtis _______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
