Dave Wreski wrote:
>
> Cisco routers have a
> Committed Access Rate function, which performs just this exact task, and
> seems to me to at least stop the attack upstream...
>
Well yes, but it's near impossible for packet filters (routers) to block
TCP flood attacks going to random ports in the range 1024-65535 that do
not have the SYN flag set.
These packets would certainly be denied by your fullblown firewall, but, as
you earlier pointed out, at that point the damage is already done to your
narrow pipe.
It's just a question of modifying the TFN/Trinoo/Whatnot slaves so that
they send out TCP packets to random high ports, that all look like legitimate
responses.
The only defense then would be to place a real firewall at the upstream
access point, because I don't think that even a load balancer would help in
a situation like this, with the data streams coming from multiple systems on
the 'net.
Are there ISPs that allow this?
<flameshield>
Don't start explaining about the benifits of stateful load balancers to me; they're
more like firewalls than load balancers in the first place, and I did say that a
firewall might help.
</flameshield>
Regards,
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50
Mobile: +46 (0)70 248 00 33
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
