14 Sep
1996
14 Sep
'96
7:43 a.m.
> -->> > the forwarding table and only accept if the source is reachable > -->> > through that next hop) seems to be a effective preventative that could > -->> > be easily just "switched on". > -->> > -->> A very good idea. > -->If CISCO'll hear it -:)! > --> > --> > --> > -->> > -->> Perry > -->> > That sounded like a good idea until I considered asymetric routing. You > are assuming the router always knows how to get back to its source, but Did you read me and Antonov carefully? We have spoken about BORDER interfaces with the CUSTOMERS. If - - the default behaviour of CISCO would be _filter out packets with SRC addresses not from the routing table for this interface_, - it'll work on the CUSTOMER's interfaces for the single-home customers, - I should install this behaviour on the part of my interfaces it'll protect us against more than 90% of this attackes. Of cource it's not possible to use this for internetwork interfaces in the big network; it's difficult to use this for inter-network interfaces in case of multihoming. Now I have 2 kinds of interfaces there: 1) Strictly controled interfaces for the customers. I have to use exact list for the network numbers I receive from this interfaces (even in case of BGP I check not only AS-es but Networks too), and so on - it's because I don't trust this users. 2) Peering interfaces - when I excahneg routing with other ISP I trrust them and am controlling AS pathes only. Usially I have assymmetrical routing on the interfaces of 2'th type (but this routing is usially the sighn of _something wrong in this world_). And I do not want assymmetric routing on the interfaces of the 1'th kind. > Traffic is already slow enough when a router is unstable because it may > not know how to get to the destination, but if you throw in the > requirement that it has to know how to get to the source as well, didn't > you just help the hacker by shutting down service for lots of people? How? I can't understand how this helps the hackers. Through you are right in case of Universities (and it's not secret just universities are the motherland of the hackers -:)). --- Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)