[c-nsp] DNS amplification
Nick Hilliard
nick at foobar.org
Sat May 11 16:58:37 EDT 2013
On 08/05/2013 15:06, "Rolf Hanßen" wrote:
> R2(config-if)#ip verify unicast source reachable-via rx ?
> ...
> allow-self-ping Allow router to ping itself (opens vulnerability in
> verification)
> l2-src Check packets arrive with correct L2 source address
>
> What kind of vulnerability is that ? Just for my interest, I do not need
> to ping myself usually. ;)
In order to ping an interface address, the packet needs to go through the
normal packet forwarding process. This includes a urpf check. As the ping
packet does not come from the interface itself, it will fail a urpf check
and the packet will be dropped unless "allow-self-ping" is enabled. If you
enable "allow-self-ping", the vulnerability is that you can also send
packets to the router with srcip=dstip and they will pass the urpf check.
Nick
More information about the cisco-nsp
mailing list