Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

no ip forged-source-address

  • From: variable
  • Date: Wed Oct 30 10:46:45 2002


I've been following the discussion on DDoS attacks over the last few weeks
and our network has also recently been the target of a sustained DDoS
attack.  I'm not alone in believing that source address filters are the
simplest way to prevent the types of DDoS traffic that we have all been
seeing with increasing regularity.  Reading the comments on this list have
lead me to believe that there is a lot of inertia involved in applying
what appears to me as very simple filters.

As with the smurf attacks a few years ago, best practice documents and
RFC's don't appear to be effective.  I realise that configuring and
applying a source address filter is trivial, but not enough network admins
seem to be taking the time to lock this down.  If the equipment had
sensible defaults (with the option to bypass them if required), then
perhaps this would be less of an issue.

Therefore, would it be a reasonable suggestion to ask router vendors to
source address filtering in as an option[1] on the interface and then move
it to being the default setting[2] after a period of time?  This appeared
to have some success with reducing the number of networks that forwarded
broadcast packets (as with "no ip directed-broadcast").

Just my $0.02,

Richard Morrell

[1] For example, an IOS config might be:

interface fastethernet 1/0
 no ip forged-source-address

[2] Network admins would still have the option of turning it off, but this 
would have to be explicitly configured.

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.