[Dshield] Egress filtering
haled at pionet.net
Fri Mar 7 17:54:26 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
- -----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf Of Piet Barber
Sent: Friday, March 07, 2003 10:02 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Egress filtering
> If you have a Cisco, just add 'ip verify unicast reverse-path' to the
> configuration of your inside router interfaces. Works great,
> fast-switched and MLS-capable, no access lists needed. If a packet
> arrives with a source address that is not in the routing table for that
> interface, it is dropped. Piece of cake. If you have a PIX, enable
> You and I are in complete agreement. It's easy to do, doesn't have much
> impact, it should be done at every edge. I wish more providers did this.
> Do the little home routers do this (LinkSys, Dlink, et-all)?
***** If the Linksys routers do this, I would be very interested in HOW to do it.
I am running Linksys at home and at the office and want to do everything I
can to make sure that I am not aiding and abedding this activity *******
> If everybody did this simple trick forged IP source attacks would be a
> thing of the past. I want to know how to get there from here. Would it
> be possible to make a SPEWS type list for networks that are known to not
> do any egress filtering? Should people start pressuring the NSPs to start
> cutting people off when they don't do this type of filtering?
> But there is a flip side as well. Should you allow 'bogons'
> reserved, or unused netblocks) as destination addresses either?
> That's why people should use Rob Thomas's Bogon list for filtering illegal
> network blocks inbound and outbound.
The address list gets updated as new /8s get allocated to the IP
Registries (RIPE, ARIN, APNIC, etc)
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
-----END PGP SIGNATURE-----
More information about the list