What broke ? Arron
-----Original Message----- From: sjones(a)netlink.net.nz [mailto:sjones(a)netlink.net.nz]On Behalf Of Sid Jones Sent: Monday, February 21, 2000 17:16 To: Arron Scott Cc: nznog(a)list.waikato.ac.nz Subject: Re: More on DDOS attacks
Arron Scott wrote:
I have recently had the opportunity to try the "ip verify unicast reverse-path" command in a lab environment, it works with CEF on Cisco IOS 12.0. It seems relatively effective with about a 30% increase in distributed CPU utilisation (ie. 10% becomes 13%, not 40%). We had every packet flooding an interface with bogus source addresses, it happily discarded them all. And yes, it even forwarded the packets with valid source addresses ;-)
And we were running with it on earlier versions of 12 and it broke after a week.... and it was the breaking after a week that was the problem.... YMMV.
Cheers
-- Sid
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog