-->
-->> circuit, so thats not too bad a problem there.
-->>
-->> > At the single homed connection a router option to reverse the sense of
-->> > the forwarding table on a specific interface (look up the source in
-->> > the forwarding table and only accept if the source is reachable
-->> > through that next hop) seems to be a effective preventative that could
-->> > be easily just "switched on".
-->>
-->> A very good idea.
-->If CISCO'll hear it -:)!
-->
-->
-->
-->>
-->> Perry
-->>
That sounded like a good idea until I considered asymetric routing. You
are assuming the router always knows how to get back to its source, but
on the contrary, this router may not know how to get back to the source.
If you're routing traffic inbound to your organization one way and
outbound traffic goes another, then this option might unnecessarily block
traffic. Consider also what this would do during an unstable situation.
Traffic is already slow enough when a router is unstable because it may
not know how to get to the destination, but if you throw in the
requirement that it has to know how to get to the source as well, didn't
you just help the hacker by shutting down service for lots of people?
-->> > the forwarding table and only accept if the source is reachable
-->> > through that next hop) seems to be a effective preventative that could
-->> > be easily just "switched on".
-->>
-->> A very good idea.
-->If CISCO'll hear it -:)!
-->
-->
-->
-->>
-->> Perry
-->>
That sounded like a good idea until I considered asymetric routing. You
are assuming the router always knows how to get back to its source, but
Did you read me and Antonov carefully? We have spoken about BORDER
interfaces with the CUSTOMERS. If -
- the default behaviour of CISCO would be _filter out packets with SRC addresses
not from the routing table for this interface_,
- it'll work on the CUSTOMER's interfaces for the single-home customers,
- I should install this behaviour on the part of my interfaces
it'll protect us against more than 90% of this attackes.
Of cource it's not possible to use this for internetwork interfaces in the
big network; it's difficult to use this for inter-network interfaces in case
of multihoming.
Now I have 2 kinds of interfaces there:
1) Strictly controled interfaces for the customers. I have to use exact list
for the network numbers I receive from this interfaces (even in case of BGP I
check not only AS-es but Networks too), and so on - it's because I don't
trust this users.
2) Peering interfaces - when I excahneg routing with other ISP I trrust them and
am controlling AS pathes only.
Usially I have assymmetrical routing on the interfaces of 2'th type (but this
routing is usially the sighn of _something wrong in this world_). And I do
not want assymmetric routing on the interfaces of the 1'th kind.
Traffic is already slow enough when a router is unstable because it may
not know how to get to the destination, but if you throw in the
requirement that it has to know how to get to the source as well, didn't
you just help the hacker by shutting down service for lots of people?
How? I can't understand how this helps the hackers.
Through you are right in case of Universities (and it's not secret just universities
are the motherland of the hackers -:)).