Originally posted by: spidey07
polar,
uRPF (unicast reverse path forwarding check - basically don't accept an IP on your ingress that you don't have an egress path for) should be implemented on each and every Internet router. this stops spoofed IPs. It's not the end all be all, but it makes it that much harder to spoof an IP address.
If an ISP is not doing this they should be crucified for not doing so. Heck if every ISP followed RFC 2832 (i think that's the one - the one that details basic measures to be taken on all Internet routers) we'd be in much better shape.
I'm aware of the benefits of uRPF, but in a major ISP -- one peered dozens of times over, this is impossible to implement on centralized, redundant routers. It must be done at the edges of every network for traffic that those edge routers are ultimately responsible for. In his case, his upstream router should ensure that nothing sourced outside his network makes it past that simple ingress ACL.
The real problem is that network admins, regardless of technical advances of their country of origin, do not do these simple things. Some countries actually encourage such wicked behaviour.
So, in short, I agree with you, but uRPF is worthless in heavily-peered networks because there may be dozens of 0/0 routes based on load, expense, delay and a multitude of other qualifiers.
Edit:
A simple Cisco example for those reading this thread with internet routers they control:
---8<---
hostname routerA
ip domain-name domainA.com
!
int fa0/0
description --{ WAN transport }--
ip address 1.1.1.2 255.255.255.252
ip access-group WAN_IN in
!
int fa0/1
description --{ DMZ }--
ip address 1.1.2.1 255.255.255.0
ip access-group DMZ_INGRESS in
!
int fa0/2
description --{ LAN }--
ip address 192.168.0.1 255.255.255.0
ip access-group LAN_INGRESS in
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip access-list extended WAN_IN
remark --{ No RFC1918 entrance }--
deny ip 10.0.0.0 0.255.255.255 any log-input
deny ip 172.16.0.0 0.15.255.255 any log-input
deny ip 192.168.0.0 0.0.255.255 any log-input
remark --{ Anti-Spoofing }--
deny ip 1.1.2.0 0.0.0.255 any log-input
deny ip host 1.1.1.2 any log-input
permit any host 1.1.2.x <etc other decent traffic etc>
!
ip access-list extended DMZ_IN
remark --{ Protect LAN (simple) }--
deny ip any 192.168.0.0 0.0.0.255 log-input
remark --{ Anti-Spoofing }--
permit ip 1.1.2.0 0.0.0.255 any
!
ip access-list extended LAN_IN
remark --{ Anti-Spoofing }--
permit ip 192.168.0.0 0.0.0.255 any
---8<---