[nsp-sec] Oh well, that didn't take long...
Barry Raveendran Greene
bgreene at senki.org
Sun Jan 10 12:45:31 EST 2010
> This is very interesting news...especially since Juniper support
> assured
> us that filtering on the router under attack would not help, though a
> filter on an upstream router that was running fixed code would.
Because you can spoof the packet and go right lo0 filter.
You need two layers - anti-spoofing + good lo0 filter. Core hiding/EMSEC
will also help (i.e. don't advertise your address blocks for infrastructure
and loopback).
The security advisory was updated to more clearly express what needs to be
done.
More information about the nsp-security
mailing list