Vulnslist

The effectiveness of any workaround is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed.

There are no workarounds available to mitigate the effects of this vulnerability.

It is possible to mitigate the exposure on this vulnerability by applying anti-spoofing measures on the edge of the network.

By enabling Unicast Reverse Path Forwarding (uRPF), all spoofed packets will be dropped at the first device. To enable uRPF, use the following commands.

router(config)#ip cef
router(config)#interface router(config-if)#ip verify unicast reverse-path

Please consult http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ft_urpf.html ["http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ft_urpf.html"] and ftp://ftp-eng.cisco.com/cons/isp/security/URPF-ISP.pdf ["ftp://ftp-eng.cisco.com/cons/isp/security/URPF-ISP.pdf"] for further descriptions of how uRPF works and how to configure it in various scenarios. This is especially important if you are using asymmetric routing.

Access control lists (ACLs) should also be deployed as close to the edge as possible. Unlike uRPF, you must specify the exact IP range that is permitted. Specifying which addresses should be blocked is not the optimal solution because it tends to be harder to maintain.

Caution: In order for anti-spoofing measures to be effective, they must be deployed at least one hop away from the devices which are being protected. Ideally, they will be deployed at the network edge.