Tracking stealth portscan/pepsi attacks
Neil J. McRae neil at COLT.NET
Sat Sep 4 21:37:58 CEST 1999
On Sat, 04 Sep 1999 21:32:50 +0200 Havard.Eidnes at runit.sintef.no wrote: 11.1CC28 has new bug-fix [*] for dropping bad packet fragments also. We haven't tested it but it could be useful for some attacks we've seen in the past. * Some may call this a feature- but its definetly a bug fix. Regards, Neil. > > >I do recall soemthing Cisco implemented that checked you have > > >a route back to any source address that comes in on a suitably > > >configured interface else it'll drop the packet as being > > >spoofed, this soulds good - anybody tried it? > > > > Hey, that sounds neat, more info? > > It is an IOS 12.0 feature. It requires that you run CEF (most if > not all platforms can do that in 12.0). The interface command is > > ip verify unicast reverse-path > > For each packet it checks that it has a route back to the source > IP address pointing out the interface where the packet entered, > and drops the packet if it doesn't. > > For rather obvious reasons this feature cannot be used where you > have asymmetric traffic patterns. This commonly occurs in backbone > networks with "hot-potato" routing between providers which peer in > multiple places. But then again, this checking should be done on > the edges of the network, where asymmetry should be much less of a > problem. > > With early revisions of 12.0 there were issues with helper-address > handling -- bootp requests from 0.0.0.0 would be dropped on the > floor instead of being forwarded (ugh!). I think that is now fixed, > though. > > And, yes, we are using the feature. > > > - Hevard -- Neil J. McRae C O L T I N T E R N E T neil at COLT.NET
[ lir-wg Archives ]