This should (naturally) be implemented where routing is symmetric and where a "reverse-path check" (looking up the source address in the routing table to find the "expected" incoming interface and checking whether the packet did indeed enter through that interface)
The big question is, what do you do if most of your traffic _is_ asymetrical?
Well, in that case you can't apply this method. It may however make sense to think of reengineering the network so that those boxes which can't do this check sits "behind" such a RPF-checking box.
I mean, a more basic check could be, "Does the network that this packet was sourced from exist *at all*?", or "Do I have a route back to the source network through *any* interface?"
That would cut down on a good amount of spoofing, like the idiots who spoof from 1.1.1.1 etc.
It would prevent simple spoofing, yes, but that would not eliminate the Smurf attacks since to mount a Smurf attack you need to use the victim's address as your source address, and that one *is* typically "valid" according to the criteria you mention above (?). - Håvard
The other extreme is that, what if you are singly-homed? Then it is useless again. My point is, I would guess that if you are not single-homed (in which case this is useless), you are multi-homed, and your traffic probably isn't symmetrical. Therefore, I think this feature is of limited usefullness.
It would prevent simple spoofing, yes, but that would not eliminate the Smurf attacks since to mount a Smurf attack you need to use the victim's address as your source address, and that one *is* typically "valid" according to the criteria you mention above (?).
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Atheism is a non-prophet organization. I route, therefore I am. Alex Rubenstein, alex@nac.net, KC2BUO, ISP/C Charter Member Father of the Network and Head Bottle-Washer Net Access Corporation, 9 Mt. Pleasant Tpk., Denville, NJ 07834 Don't choose a spineless ISP! We have more backbone! http://www.nac.net -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Havard.Eidnes@runit.sintef.no writes...
It would prevent simple spoofing, yes, but that would not eliminate the Smurf attacks since to mount a Smurf attack you need to use the victim's address as your source address, and that one *is* typically "valid" according to the criteria you mention above (?).
But the first router the spoofer hits would NOT likely point the spoofed address back to the spoofer. At that router this would stop the spoof. This is why the feature needs to be shipped on all routers and enabled by default. -- Phil Howard | no1way99@no5place.edu ads3suck@no8where.edu stop5it0@dumbads2.edu phil | blow0me8@dumb6ads.org ads4suck@noplace3.org stop3ads@noplace0.net at | die1spam@lame8ads.com end4it12@anyplace.net stop9597@spammer8.net milepost | stop5ads@no0place.org end7it69@anyplace.edu a8b3c9d6@dumbads2.com dot | die4spam@lame1ads.net stop6it2@no6where.com suck3it1@spam2mer.org com | stop9915@spam6mer.net stop1it8@nowhere2.org stop0ads@anywhere.net
participants (3)
-
Al Reuben -
Havard.Eidnes@runit.sintef.no -
Phil Howard