From owner-freebsd-security Sat Jan 22 2:59:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id D9ED415629 for ; Sat, 22 Jan 2000 02:59:44 -0800 (PST) (envelope-from sthaug@nethelp.no) Received: (qmail 58524 invoked by uid 1001); 22 Jan 2000 10:59:43 +0000 (GMT) To: yankee@az.com Cc: gdonl@tsc.tdk.com, security@FreeBSD.ORG Subject: Re: attack arbitration server From: sthaug@nethelp.no In-Reply-To: Your message of "Sat, 22 Jan 2000 01:42:57 -0800 (PST)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sat, 22 Jan 2000 11:59:43 +0100 Message-ID: <58522.948538783@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > At some point in the chain of routers during a reverse route trace back, > the key router that was originally spoofed would figure out where the > packet REALLY came from and realize it was different than the originally > documented source address in its history/route table. Sort of like, Hey - > I don't have a destination to you and I'm getting complaints about you This exists in Cisco IOS 12.0, and also 11.1CC. It's a per-interface setting called "ip verify unicast reverse-path", and will indeed check the source address against the routing tables. A couple of caveats: - Not really all that usable for core routers, since it doesn't work reliably for asymmetric routing paths. You need to do this at the edge routers. It's still much better than having to make an access list per interface, though. - Requires you to run CEF. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message