On Mon, 3 Jan 2000, Dave Wreski wrote:
>
> > Well yes, but it's near impossible for packet filters (routers) to
> > block TCP flood attacks going to random ports in the range 1024-65535
> > that do not have the SYN flag set.
>
> This would be ICMP we are talking about -- no SYN flag.
>
> > These packets would certainly be denied by your fullblown firewall,
> > but, as you earlier pointed out, at that point the damage is already
> > done to your narrow pipe.
>
> Which is why I would like my upstream provider to prevent more than, say,
> 30k of ICMP traffic from entering my network at any one time, regardless
> of whether they are responses or not.
if your upstream ISP is willing
(& connects you to a Cisco with IOS 12.0 or 11.1CC(<something>)
it can be done with cisco CAR ("rate-limit" interface command)
(there is a limit of 20 rate-limits per interface)
if they aren't - you may want to point out that you will open less DoS
trouble tickets
if they *still* aren't - maybe you should look for an ISP that will do it
(or co-locate a router at them ;-)
for more info see
<http://www.cisco.com/warp/public/732/Tech/car/index.html>
--
Rafi Sadowsky [EMAIL PROTECTED]
Network Operations Center |VoiceMail: +972-3-646-0592 FAX: +972-3-646-5410
ILAN - IUCC -I2(Israel) | member ILAN-CERT([EMAIL PROTECTED])
(Israeli Academic Network) | (PGP key -> ) http://telem.openu.ac.il/~rafi
>
> Dave
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
