Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
746
Views
0
Helpful
5
Replies

How to use filter to protect router from IP source address spoofing

xwang2
Level 1
Level 1

‎10-14-2002 07:34 PM - edited ‎03-09-2019 12:40 AM

Hi all:

If i want to make router only forwarding packet which is in its routing table and drop packet which is maybe spoofing? Can i config router to do this?

How can i do that?

Can Unicast RPF do that? Should i both filtering private address and also config Unicast RPF then i could protect router from the source address spoofing?

Thanks

Labels:
0 Helpful
5 Replies 5

Nairi Adamian
Cisco Employee
Cisco Employee

‎10-15-2002 01:32 AM

Yes, you can use ip verify unicast rpf to protect against anti-spoofing.

The following link discusses both using ip verify unicast rpf and access-list.

http://www.cisco.com/warp/public/707/21.html#spoofing

hope this helps,

-Nairi

0 Helpful

xwang2
Level 1
Level 1
In response to Nairi Adamian

‎10-15-2002 01:42 AM

thanks,

Is that till now what we can do are only "unicast rpf" and" filter private address". How about if the address is real and is in the router's routing table

xh

0 Helpful

Nairi Adamian
Cisco Employee
Cisco Employee
In response to xwang2

‎10-15-2002 01:54 AM

I am not sure what you mean.

If the source address is a public address, the router will forward the packet if the source address and source interface appear in the routing table and match the interface on which the packet was received.

You can enable unicast rpf on the interface as well as apply an ACL to deny traffic sourced from private network.

When a packet is received at the interface where Unicast RPF and ACLs have been configured, the following actions occur:

1. Input ACLs configured on the inbound interface are checked.

2. Unicast RPF checks to see if the packet has arrived on the best return path to the source, which it does by doing a reverse lookup in the FIB table.

3. CEF table (FIB) lookup is carried out for packet forwarding.

4. Output ACLs are checked on the outbound interface.

5. The packet is forwarded.

Regards,

-Nairi

0 Helpful

xwang2
Level 1
Level 1
In response to Nairi Adamian

‎10-15-2002 02:07 AM

Thanks,

Some time the attack is go though another service provider and it has valid routing and not a private address. They just continue to change their source address and it is all valid address. In this cast the unicast RPF and ACL may not help.

By , Do you know if the DDOS in a low speed link will truely affect the routing protocol (OSPF) ? When low speed FR link is facing a lot of burst traffic, sometimes i saw the routing session is down for OSPF. How can we deal with that ? Can we prioritize the ospf packet over a low speed FR link ?

Thanks again

0 Helpful

Nairi Adamian
Cisco Employee
Cisco Employee

‎10-15-2002 02:19 AM

If the source address is a valid address and keeps changing, you will be hard to deny using acl. One method to overcome that would be to rate-limit the traffic:

http://www.cisco.com/warp/public/63/car_rate_limit_icmp.html

http://www.cisco.com/warp/customer/707/newsflash.html#prevention

As for prioritizing routing update on FR network, one way I can think of is setting the discard Eligible bit on all traffic except routing update.

http://www.cisco.com/warp/customer/105/config_fr_pvc.html

Hope this helps,

-Nairi

0 Helpful
Customers Also Viewed These Support Documents