Wait; all traffic is coming in one interface. The CEF thing will have no effect if the spoofed source address is a real network.
From my point of view this is exactly the sort of functionality which is needed to prevent us from being the host (originator) of a Smurf attack (or more generally from attacks involving IP address spoofing), as in the case of a Smurf attack packets with
"The CEF thing" configuration from my first message in this thread does the following: For each packet entering an interface with "ip verify unicast reverse-path" turned on, the router will look up the source address from the IP packet in the CEF table and find the interface (or set of interfaces) it would use to route back to the source. If the incoming interface for the actual packet is not among those returned by the "reverse-path" lookup, the packet is dropped on the floor. the victim's source address entering from the wrong interface will be dropped on the floor. If you still think this doesn't help or isn't useful, I propose that we take it to private e-mail (?). - Håvard
participants (1)
-
Havard.Eidnes@runit.sintef.no