Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to use filter to protect router from IP source address spoofing

Hi all:

If i want to make router only forwarding packet which is in its routing table and drop packet which is maybe spoofing? Can i config router to do this?

How can i do that?

Can Unicast RPF do that? Should i both filtering private address and also config Unicast RPF then i could protect router from the source address spoofing?

Thanks

5 REPLIES
Cisco Employee

Re: How to use filter to protect router from IP source address s

Yes, you can use ip verify unicast rpf to protect against anti-spoofing.

The following link discusses both using ip verify unicast rpf and access-list.

http://www.cisco.com/warp/public/707/21.html#spoofing

hope this helps,

-Nairi

New Member

Re: How to use filter to protect router from IP source address s

thanks,

Is that till now what we can do are only "unicast rpf" and" filter private address". How about if the address is real and is in the router's routing table

xh

Cisco Employee

Re: How to use filter to protect router from IP source address s

I am not sure what you mean.

If the source address is a public address, the router will forward the packet if the source address and source interface appear in the routing table and match the interface on which the packet was received.

You can enable unicast rpf on the interface as well as apply an ACL to deny traffic sourced from private network.

When a packet is received at the interface where Unicast RPF and ACLs have been configured, the following actions occur:

1. Input ACLs configured on the inbound interface are checked.

2. Unicast RPF checks to see if the packet has arrived on the best return path to the source, which it does by doing a reverse lookup in the FIB table.

3. CEF table (FIB) lookup is carried out for packet forwarding.

4. Output ACLs are checked on the outbound interface.

5. The packet is forwarded.

Regards,

-Nairi

New Member

Re: How to use filter to protect router from IP source address s

Thanks,

Some time the attack is go though another service provider and it has valid routing and not a private address. They just continue to change their source address and it is all valid address. In this cast the unicast RPF and ACL may not help.

By , Do you know if the DDOS in a low speed link will truely affect the routing protocol (OSPF) ? When low speed FR link is facing a lot of burst traffic, sometimes i saw the routing session is down for OSPF. How can we deal with that ? Can we prioritize the ospf packet over a low speed FR link ?

Thanks again

Cisco Employee

Re: How to use filter to protect router from IP source address s

If the source address is a valid address and keeps changing, you will be hard to deny using acl. One method to overcome that would be to rate-limit the traffic:

http://www.cisco.com/warp/public/63/car_rate_limit_icmp.html

http://www.cisco.com/warp/customer/707/newsflash.html#prevention

As for prioritizing routing update on FR network, one way I can think of is setting the discard Eligible bit on all traffic except routing update.

http://www.cisco.com/warp/customer/105/config_fr_pvc.html

Hope this helps,

-Nairi

247
Views
0
Helpful
5
Replies