The second principle is to implement BCP38 and this is unicast reverse path forwarding which means deny outbound traffic from customers which has spoofed source addresses. We should only be allowing traffic from IP address space that's assigned to a customer's out from these customer links. Everything else is spoofed or faked, what you have and should be dropped. So the advice and the simple technique is to implement uRPF on all single home customer facing interfaces. It's much cheaper to do this in terms of CPU and RAM than implementing packet filters. We describe uRPF in more detail elsewhere in this series.

Related Documents

Exercises

© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon. 

Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.
You are free to:

Share — copy and redistribute the material in any medium or format
Adapt — remix, transform, and build upon the material
The licensor cannot revoke these freedoms as long as you follow the license terms.
Under the following terms:

Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
NonCommercial — You may not use the material for commercial purposes.
No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.