At 09:43 AM 8/12/2002, you wrote:
Paul Jacobs wrote: > If network admin's would setup there network right this could > not happen!. > A simple command in your cisco powered router config can stop > forged addresses from getting to your box. That command would > be "ip verify unicast reverse-path" (no quotes).. Congratulations. It can, however, still happen if the packets are not spoofed.
And the chance of that happening are?
Plus reverse-path verification is a great CPU hog; better to configure your router to not accept bogon networks and ensure it only passes IP in the right direction. Still, this is a Cobalt list, we ain't here to discuss Cisco router IP setups.
I have both reverse-path verification and bogon networks locked up tight on all networks I setup... After all I have to look good, I am CCNA.
Everyone note though that the "can be vulnerable to DoS attacks" comment still stands if you do have your router configured properly. It's the logging, and the blocking, which causes the problems. Like I said, keep your services as secure as possible and everyone's happy.Graeme -- Graeme Fowler System Administrator Host Europe Group PLC _______________________________________________ cobalt-security mailing list cobalt-security@xxxxxxxxxxxxxxx http://list.cobalt.com/mailman/listinfo/cobalt-security