[c-nsp] DNS amplification

Nick Hilliard nick at foobar.org
Sat May 11 16:58:37 EDT 2013


On 08/05/2013 15:06, "Rolf Hanßen" wrote:
> R2(config-if)#ip verify unicast source reachable-via rx ?
> ...
>   allow-self-ping  Allow router to ping itself (opens vulnerability in
> verification)
>   l2-src         Check packets arrive with correct L2 source address
> 
> What kind of vulnerability is that ? Just for my interest, I do not need
> to ping myself usually. ;)

In order to ping an interface address, the packet needs to go through the
normal packet forwarding process.  This includes a urpf check.  As the ping
packet does not come from the interface itself, it will fail a urpf check
and the packet will be dropped unless "allow-self-ping" is enabled.  If you
enable "allow-self-ping", the vulnerability is that you can also send
packets to the router with srcip=dstip and they will pass the urpf check.

Nick




More information about the cisco-nsp mailing list