Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: FW: Re: Is there a line of defense against Distributed Reflectiveattacks?

  • From: Rob Thomas
  • Date: Sun Jan 19 14:26:52 2003

Hi, NANOGers.

] The rest could be handled with a simple IDS (doesn't even need
] to match patterns... just count packets going to 27374 and the like)

There is no "simple IDS" for OC48+ links.  :)  Counters are possible,
though adding that many ACLs can be more than burdensome on certain
code and hardware releases.  Don't even mention logging.  :/  While
some ports are more obvious than others, there is still the question
of what is in the payload of a packet that increments a counter.  It
may be quite benign, e.g. a SYN packet to port 80 from source port
27374.

At the edge some of these things are quite possible.  At aggregation
and transit points, however, such suggestions don't scale.

] I keep saying ISPs would be much better off if they implement these
] filters. But not all of them agree. IMHO: less 'zombies' -> better
] service -> less support phonecalls.

I agree.

Thanks,
Rob.
-- 
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.