[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

# Uncomment the next two lines to enable Spoof protection (reverse-path 
# filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

Unfortunately, the net.ipv6 equivalents for those do not yet seem to be a 
thing on Linux.

For a belt-and-suspenders approach:
If you're running an edge network and not transiting traffic for any other 
AS, consider using your assigned aggregates prefix lists to filter on 
egress on your edge for anything not sourced from those aggregates.

I'm curious as to the deployment scope and experiences of various sizes of 
networks in deploying the following:

1.  Strict uRPF on customer-facing ports on edge networks

2.  Source address filtering on upstream edge egress based on assigned 
aggregates

3.  Destination address filtering on upstream edge ingress based on 
assigned aggregates

-- 
Hugo Slabbert       | email, xmpp/jabber: hugo at slabnet.com
pgp key: B178313E   | also on Signal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20160925/47be44b0/attachment.pgp>

Prev by Date: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos
Previous by thread: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos
Index(es):
- Date
- Thread