From: Jared Scrivener (jscrivener@ipexpert.com)
Date: Thu Mar 19 2009 - 03:09:25 ART
Hey Vijay,
If you know the attacker(s) address or address range use an inbound ACL.
That'll give you better performance.
URPF has to do RPF checks on the CEF table for every flow, so that'll impact
performance - also uRPF may not work in every situation.
Strict mode requires a full routing table of all known networks and needs
symmetric routing (or you'll potentially get unwanted drops when you forward
traffic out a different interface than it is received from). Strict mode
with the "allow-default" option, defeats half the purpose of uRPF - packets
can be spoofed from unknown sources. Loose mode uRPF doesn't stop spoofing
if the attacker knows which networks are legitimate.
Check out this link for a rundown on uRPF:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ft_urpf.html
I hope that helps.
Cheers,
Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
Sr. Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Mailto: jscrivener@ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Vijay Karanth
Sent: Thursday, 19 March 2009 1:27 AM
To: Cisco certification
Subject: Spoof atack
Hi,
In order to protect from spoof attack, is it better to have an inbound ACL
which is blocking the source network or is it better to use "ip verify
unicast reverse-path" with the ACL blocking the source network. Not sure
which one is the best pratice, any thoughts?
Regards,
Vijay Karanth
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART