Sgt_B wrote: |
Adding SPI to the upstream provider sounds like a good idea, and in theory it is. However, the cost in terms of processing and memory to track all those connections would be substantial. Not impossible, but it would require providers to increase hardware capabilities for the sole purpose of security. That costs lotsa money and they ain't gonna do it any time soon. |
Weaver wrote: |
Would "no-export" on a /32 even be accepted or would it itself be filtered? |
Sgt_B wrote: |
Essentially, when enabled, the router will validate whether source traffic entered on the same interface that egress traffic would leave the router. This allows it to determine with a decent degree of accuracy whether the IP was spoofed. This allows the router to check traffic based on its routing table and not a stored state table (i.e., its faster and cheaper). This reduces the impact of the DDoS while allowing legitimate traffic. |
Sgt_B wrote: |
Its a 4-part series, the uRPF stuff is in part 4.
http://pierky.wordpress.com/2009/05/31/gns3-lab-remote-triggered-black-holing/ |
output generated using printer-friendly topic mod, All times are GMT + 2 Hours