Alex Rudnev wrote: Hi, Alex!
BTW. Some time ago (when we used PC based routers and had all sources) we discussed the same problem. One of the best solutions to prevent many kinds of hacker's weapons is to allow customer send packets with SRC address ONLY if this (SRC) address have routing via the same interface. This control is possible only for one-homed customer but is effective enougph to prevent TCP spoofing, many SYN, PING, UDP etc attacks and does allow ISP to determine the source of any internet attack.
I stated many times that it would be desireable default behaviour for routers to never accept packets with source addresses for which it doesn't have route back thru the same interface. That prohibits IP src spoofing (and asymmetrical paths). When asymmetrical routing is what it desired that safeguard could be disabled on per-interface basis. In most networks asymmetrical routing is an indication of a bug in an IGP configuration, so early detection of the configuration problems would be an additional benefit. --vadim
participants (1)
-
Vadim Antonov