Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DHCP and ip verify unicast 1

Status
Not open for further replies.
StaplesMan

StaplesMan

Technical User
Mar 8, 2006
123
US
I am using a 1720 as my home router. I do not have a firewall. Just using ACLs and blocking as much as possible. One of the White Papers on Cisco's site shows how to prevent DDoS attacks.

It recommends the ip verify unicast reverse-path command. I have used it with success. But once my IP renews I don't get it. I have to remove the command then renew MY ip and then re-enable the command.

Is there any modification to the command )like an ACL) that will allow it to work with DHCP.

Thanks,
Bobby
 
Sort by date Sort by votes
Do you mean that the command disappears from the config when the IP address renews?

Also:

1. ip verify unicast reverse path is probably not doing too much for you other than making the router think more about each packet. It's recommended, but usually for large enterprises or ISPs. According to Cisco, for “Unicast RPF in strict mode, the packet must be received on the interface that the router would use to forward the return packet.”


Since your ISP is providing you DHCP and you probably only have one link to the Internet, then every packet that arrives is coming from the interface that the router would use to send reply traffic. Thus, uRPF isn't doing much.

Of course, if someone spoofs your inside network and manages to get the packet to the outside of your router then uRPF will drop it, but you could just as easily (and should) block that with an ACL. For example, you should block your inside address space and all RFC 1918 addresses in your outside ACL.

I recently blogged about a good use of uRPF in Remote Triggered Black Holes, if you're interested to see how it is used in larger environments:

2. I think the 1720 should be able to run IOS with the Cisco IOS Firewall Feature Set (aka CBAC - Context Based Access Control). IOS Firewall is a stateful firewall and also provides DoS protection, if you're worried about that. It provides DOS protection by clamping half-open TCP sessions and other signs of attack.

Cisco IOS Firewall Docs

Denial of Service Tuning for Cisco IOS Software Firewall and IPS

Cisco IOS Classic Firewall and Intrusion Prevention System Denial-of-Service Protection

Tuning Cisco IOS Firewall Denial-of-Service Protection


Matt
CCIE Security
 
Upvote 0 Downvote
I do not get the new IP address from my ISP when ip verify unicast reverse-path is enabled, is basically the problem.

But I now see what you are saying and that it won't be of much help, because I already have private ips blocked as it is.

Once I upgrade the memory and flash I will install the FW IOS and use it. For now I have just the basic.

Thanks,
Bobby
 
Upvote 0 Downvote
Gotcha. My guess is that ip verify unicast is not compatible with DHCP, then. ;-) Maybe because of the way it relies on the forwarding table or something.

Until you upgrade, you might be interested in reflexive ACLs, or you might just make due with ACLs that are as strict as you can make them.

Reflexive ACLs

Matt
CCIE Security
 
Upvote 0 Downvote
Thanks for all this information! I never knew anything about the reflexad ACLs.

Thanks
Bobby
 
Upvote 0 Downvote
TCP Intercept is also good to work against DoS attacks, but I now see it is not available for that platform. If you have an 1800 or 2600 series with advanced enterprise, enterprise, or telco image, then you'd be good.

Also, Matt---won't CBAC help him out with DDoS also?

Burt
 
Upvote 0 Downvote
CBAC will help, but he mentioned in post #3 that he doesn't have the memory to support an image with CBAC. [neutral]

TCP Intercept is another good suggestion!

Matt
CCIE Security
 
Upvote 0 Downvote
Once I upgrade the memory and flash I will install the FW IOS and use it. For now I have just the basic."

Whoopsie...I'm blind!

Thanks!

Burt
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Lccarter
  • Locked
  • Question
Cisco CUCM Provisioning and Order Management System
Replies
1
Views
136
Lccarter
Lccarter
Delta5
  • Locked
  • Question
Cisco setting for automatic ip arp cache refresh
Replies
3
Views
317
iggsterman
iggsterman
acabezas2014
  • Locked
  • Question
Need to create QoS for SNMP and Radius traffic on Cisco 4948 Switches
Replies
0
Views
73
acabezas2014
acabezas2014
mrdom
  • Locked
  • Question
RV325: Accessing LAN and WAN resources using the same hostname ...
Replies
0
Views
71
mrdom
mrdom
acabezas2014
  • Locked
  • Question
Create ACL for ip range
Replies
2
Views
90
acabezas2014
acabezas2014

Part and Inventory Search

Sponsor

Back
Top