[nsp] RPF question...

From: lists (lists@lists.grot.org)
Date: Mon Jan 22 2001 - 17:07:50 EST


We have an annoying spoofing situation that might be solved by putting RPF on
an the router interface, but since I don't see this particular case covered in
the literature, I figure I might as well ask.

Cisco e4/0/4 x.y.125.1]----<x.y.125.0/24 subnet with many machines on it

one of the machines on the subnet is spoofing packets as x.y.125.1

Although the route for x.y.125.1 points out that interface and it would seem
that RPF would not prevent the spoofing, doing a:

sh ip cef | include x.y.125

gives:

x.y.125.0/24 attached Ethernet4/0/4
x.y.125.0/32 receive
x.y.125.1/32 receive
x.y.125.2/32 x.y.125.2 Ethernet4/0/4
x.y.125.41/32 x.y.125.41 Ethernet4/0/4
x.y.125.42/32 x.y.125.42 Ethernet4/0/4

Which seems to indicate that from a CEF perspective, x.y.125.1/32 and
x.y.125.0/32 (set to be broadcast) are treated differently than the rest of
x.y.125.0/24 and might in fact prevent the spoofed packet from making it past
the Cisco...

Can someone confirm that this is in fact the behaviour? (That particular
router has been melting all morning due to high-pps DoS originating from the
spoofing host so I'm reluctant to try it and cause other problems -- instead,
we have just taken the offending box off of that subnet but I want to prevent
this from happening in the future)

I can't find any text on the Cisco site to address this particular case, but I
believe I'm correct in believing that enabling RPF on that interface will in
fact prevent packets being spoofed as being from x.y.125.1 by any hosts on
that subnet.

Thanks,
Adi



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:25 EDT