North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: ICMP rate limiting on EGRESS (Warning, operational content inside)
- From: Alex Bligh
- Date: Mon Jan 17 11:38:08 2000
Sean Donelan wrote:
> Or is this a case, if we had thought about it, we would have prohibited
> it at the start; but now its in the wild we don't know how to get it back
> in the barn.
Mmmm... we got onto this argument by someone implying we wouldn't need
this sort of defensive technique (ICMP rate limiting on egress)
if source-spoofed weren't transmittable (or weren't widely transmittable).
I agree. However as you are demonstrating, whilst getting to this
utopia would be great, getting there will take a long time. I'm sure
we *might* also fix DoS attacks using some sort of interprovider MPLS
or like to provide QoS negotiation (and that'll also give you non-destination
based routing) .... and I bet that even if this could
be got to work, it would take even longer.
In the mean time, ICMP rate limiting is here now and deployable for
most people at these exchangepoints today.
GX Networks (formerly Xara Networks)