Clifton, Have you verified that operation on the router? I believe that if the stupid or malicious host continued to send packets to the router when they are really destined for another host (or router) on the subnet, that the router would continue to send ICMP redirects back to the sending host, and wouldn't cache this response for future packets, even with 'ip route-cache same-interface' enabled. The router should only populate it's forwarding table with next hop information for real data flows, and an ICMP redirect (which is telling the host that this (through the router) isn't the correct path for a specific data flow) shouldn't be cached. I haven't verified this, though... -rb ----Original Message Follows---- From: Martin Cooper <mjc@cooper.org.uk> To: "Clifton D. McKinney" <clift@alltel.net> CC: nanog@merit.edu Subject: Re: Possible DoS attack (?) Date: Tue, 09 Nov 1999 15:03:52 +0000 "Clifton D. McKinney" <clift@alltel.net> wrote:

Is this something that the "no ip directed-broadcast" command would prevent?

Nope (unfortunately)... I think I should clarify what the problem is again, since I've had a few private emails that suggest that what I originally wrote was confusing. The route-cache (fast-switching) speeds up switching by building a simple lookup table of IP-prefix/output-interface pairs by doing a routing table lookup (process-switching) for the first packet it sees that is addressed to any destination prefix. The problem is that to implement ICMP redirects, Ciscos have to do process-switching to figure out that the source and destination addresses are both out of the same interface and can therefore talk to each other directly (i.e. without pointlessly bouncing traffic off the router and causing the same traffic to go over the same network twice, wasting bandwidth). This would be fine and dandy if when they sent a redirect, the host that received it listened to it, and stopped bouncing traffic off the router, but if it doesn't (either stupidly or maliciously) then all traffic that is being bounced off the router has to carry on being process-switching, burning CPU cycles like it's going out of fashion. If you turn on 'ip route-cache same-interface' the router will still send a redirect for the first packet addressed to a particular prefix that it sees because it has to process-switch it to figure out what to put in the route- cache, but after that it will use the cache, and not look at the source addresses of packets to that destination at all (try turning on 'debug ip icmp' to see this behaviour). Whether you use the command or not is a trade-off based on whether you want redirects to work properly (stopping traffic being bounced off the router unnecessarily if other hosts listen to them), or if you would rather not burn CPU when other hosts don't listen to them and you have to switch the traffic back out of the same interface anyway. M. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com