So I have circled back to lab 1 to go through 1-10 pre lab & hopefully I am now spotting better ways to do things. What do you good people think to this:
Q)
To help prevent this type of attack in the future configure your network so
that traffic will not be accepted from BB1, BB2, or BB3 if it sourced from
your address space 183.X.0.0/16.
INE Solution)
Ingrees ACL:
ip access-list extended SYN_ATTACK
deny ip 183.1.0.0 0.0.255.255 any
permit tcp any host 183.1.28.100 eq www syn log-input
permit ip any any
Ok, yes I agree for the Switch this is the only option (the dont support my solution), but for the routers I went with this tac:
!
int XYZ
ip verify unicast source reachable-via rx
!
Same result right? Or have i overlooked one small detail as usual, the point that may trip me up here is this:
tx = Examines incoming packets to determine whether the source address is in the FIB and permits the packet only if the source is reachable through the interface on which the packet was received (sometimes referred to as strict mode).
The above may break something if I were to a odd design where I recieve a packet from say BGP AS100 & my local policy is to send back to this AS via AS200 (Ie i have to route internally?
I think my anser is valid, I am just picking holes in in, well because thats what were here for right? ;)
Regards,
\Sam