North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Possible DoS attack (?)
Ron Buchalski <email@example.com> wrote: > Clifton, I wrote that stuff. Clifton wrote the question about 'no ip directed-broadcast' - I think maybe he's not on nanog-post, which is why the original hasn't appeared (yet?). > Have you verified that operation on the router? I used 'debug ip icmp' both with and without 'ip route-cache same-interface', and saw significantly fewer redirects when it was on. > I believe that if the > stupid or malicious host continued to send packets to the router when they > are really destined for another host (or router) on the subnet, that the > router would continue to send ICMP redirects back to the sending host, and > wouldn't cache this response for future packets, even with 'ip route-cache > same-interface' enabled. The router should only populate it's forwarding > table with next hop information for real data flows, and an ICMP redirect > (which is telling the host that this (through the router) isn't the correct > path for a specific data flow) shouldn't be cached. I haven't verified > this, though... But there is a real data flow (in that the router will actually switch the data packets back out of the same interface, as well as sending redirects). The IOS docs for 11.1 through 12.0 have this to say on the subject... -- quote -- ip redirects To enable the sending of redirect messages if the Cisco IOS software is forced to resend a packet through the same interface on which it was received, use the ip redirects interface configuration command. To disable the sending of redirect messages, use the no form of this command. ip route-cache To control the use of a high-speed switching cache for IP routing as well as the use of autonomous switching, use the ip route-cache interface configuration command. To disable fast switching and autonomous switching, use the no form of this command. ip route-cache [cbus] no ip route-cache [cbus] ip route-cache same-interface no ip route-cache same-interface ip route-cache sse no ip route-cache sse ip route-cache [optimum | flow] no ip route-cache [optimum | flow] ip route-cache distributed no ip route-cache distributed Syntax Description [...] same-interface Enables fast switching packets back out the interface on which they arrived. [...] You can enable IP fast switching when the input and output interfaces are the same interface, using the ip route-cache same-interface command. This normally is not recommended, though it is useful when you have partially meshed media, such as Frame Relay. You could use this feature on other interfaces, although it is not recommended because it would interfere with redirection. -- unquote -- Although there is an 'ip route-cache cef' command in 12.0, it doesn't appear to have any options, so maybe redirects just work under CEF (good news for people who use it on their border routers maybe). M.