[c-nsp] DNS amplification

"Rolf Hanßen" nsp at rhanssen.de
Sun Mar 17 12:46:21 EDT 2013 

Hello,

is there some guide that covers the "this will go to the RP on Sup..." and
the "this will also affect ..." and "this is limited to xy
interfaces/vlans/routes" stuff ?

We thought about implementing strict mode on some customer interfaces
(those special customers who always get attacked and sometimes take
revenge ;)) some time ago, but then saw that doc here:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/secure.html

We stopped after reading those sentences (it even does not mantion any
IPv6 limitations):
"The most recently configured mode is automatically applied to all ports
configured for unicast RPF check."
"When you enter the ip verify unicast source reachable-via command, the
unicast RPF check mode changes on all ports in the switch."

If that is not just a bad/wrong explanation or a joke, what sense makes
urpf if it cannot be enabled and configured for each interface
individually and as a consequence of this cannot be implemented without
possible service impact ?

I am sure we are not the only ones that do not actvate it because it may
cause more problems than it will solve.
btw, if there is a way to enable it for single (vlan)interfaces (up to a
few hundred) without any effect for other interfaces, please let me know.

kind regards
Rolf

> Hi,
>
> On Sat, Mar 16, 2013 at 03:59:25PM -0700, Laurent Geyer wrote:
>> Curious, how does uRPF help under this scenario? Although the source
>> address is spoofed, the target is stil valid destination address.
>
> uRPF helps everybody else - those of your customers with infected machines
> (and don't claim there aren't any) will not be able to initiate reflection
> attacks against other folks.
>
> gert,
>   deploying uRPF since 10+ years "it's really not that hard"
>
> (PS: and yes, the fact that Sup720 can't do IPv6 uRPF in hardware stinks)
> --
> USENET is *not* the non-clickable part of WWW!
>                                                            //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list