Paul Wouters writes: > On Tue, 19 Aug 2014, Tero Kivinen wrote: > > >> You would need the port number too to support multple clients behind the > >> same NAT router, upon which the attacker can then use multiple ports too. > > > > No need for port number. If server is under attack just block / slow > > down everybody using the same IP-address (or IP-address mask). > > Works great with CGN :P
Yes, blocks the nicely. Just what they asked for... :-) On the other hand CGD should notice if there is widespread DoS attack done through it, and hopefully someone will block those attacks in there... Those attacks will consume quite a lot of resources on the CGD so operators would actually like to block them. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec