[Dshield] Egress filtering
pbarber at pietbarber.com
Fri Mar 7 16:02:23 GMT 2003
> If you have a Cisco, just add 'ip verify unicast reverse-path' to the
> configuration of your inside router interfaces. Works great,
> fast-switched and MLS-capable, no access lists needed. If a packet
> arrives with a source address that is not in the routing table for that
> interface, it is dropped. Piece of cake. If you have a PIX, enable
You and I are in complete agreement. It's easy to do, doesn't have much
impact, it should be done at every edge. I wish more providers did this.
Do the little home routers do this (LinkSys, Dlink, et-all)?
If everybody did this simple trick forged IP source attacks would be a
thing of the past. I want to know how to get there from here. Would it
be possible to make a SPEWS type list for networks that are known to not
do any egress filtering? Should people start pressuring the NSPs to start
cutting people off when they don't do this type of filtering?
> But there is a flip side as well. Should you allow 'bogons' (RFC-1918,
> reserved, or unused netblocks) as destination addresses either?
That's why people should use Rob Thomas's Bogon list for filtering illegal
network blocks inbound and outbound.
The address list gets updated as new /8s get allocated to the IP
Registries (RIPE, ARIN, APNIC, etc)
More information about the list