is any active working group persuing this matter seriously?
-rgds
Alok
- Original Message -
From: alok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Saturday, November 02, 2002 4:26 AM
Subject: Re: ICANN Targets DDoS Attacks
The first, dropping broadcasts destined
4:26 AM
Subject: Re: ICANN Targets DDoS Attacks
The first, dropping broadcasts destined to your customers, is possibly
doable, but not trivial.
-- IGP learnt networks .. a small tweaky bit which learns broadcast
addresses via the networks in the IGP wud help (again summarization
- a very small percentage cud be blocked if u were willing to link
this to BGP learnt networks..at least those are complete networks, not
subnetted
ofcourse its a very small portion, mebbe u cud ask guys to send more
specific BGP routes from now
I am assuming you mean 'mark /32's
PROTECTED]; nanog [EMAIL PROTECTED]
Sent: Tuesday, November 05, 2002 5:58 AM
Subject: Re: ICANN Targets DDoS Attacks
ok, so i exploited the ambiguity in the original question.
wrt active - there is a sub-group from within the RSSAC
members that seems to be exchanging email on a regular basis
- a very small percentage cud be blocked if u were willing to link
this to BGP learnt networks..at least those are complete networks, not
subnetted
ofcourse its a very small portion, mebbe u cud ask guys to send more
specific BGP routes from now
I am assuming you mean 'mark
--On 29 October 2002 21:11 + Stephen J. Wilcox
[EMAIL PROTECTED] wrote:
As they say, if you dont set the rate limit too low then you wont
encounter drops under normal operation.
It would be useful if [vendor-du-jour] implemented rate-limiting
by hased corresponding IP address.
IE:
On Wed, Oct 30, 2002 at 10:13:11PM -0500, [EMAIL PROTECTED] wrote:
On Wed, 30 Oct 2002 13:35:38 PST, Crist J. Clark said:
(OK.. *technically*, Christ is correct.. you can't tell.. but still)
On the classless Internet, how does any router know what is or is not
a broadcast address when
On Tue, 29 Oct 2002 16:00:06 -0500, [EMAIL PROTECTED] wrote,
On Tue, 29 Oct 2002 12:48:39 PST, Jeff Shultz said:
Smurf.
Okay. What will this do to my user's ping and traceroute times, if
anything? I've got users who tend to panic if their latency hits 250ms
between here and the moon
On Wed, 30 Oct 2002 13:35:38 PST, Crist J. Clark said:
(OK.. *technically*, Christ is correct.. you can't tell.. but still)
On the classless Internet, how does any router know what is or is not
a broadcast address when the final destination is not local?
Bitch bitch whine whine.
Why is it
Am I the only one to find this ludicrous?
Expecting ICANN to competently hand these things is
analogous to asking the Captain of the Titanic
about how to handle icebergs.
Peter
to be fair he only made one mistake in his career..
On Tue, 29 Oct 2002, Peter Salus wrote:
Am I the only one to find this ludicrous?
Expecting ICANN to competently hand these things is
analogous to asking the Captain of the Titanic
about how to handle icebergs.
Peter
Source address verification at access layer and rate limiting icmp would
be fine starts.
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-nanog;merit.edu] On Behalf Of
fingers
Sent: Tuesday, October 29, 2002 1:12 AM
To: [EMAIL PROTECTED]
Subject: Re: ICANN Targets DDoS Attacks
Source address verification at access layer and rate limiting icmp would
be fine starts.
these are best practices and not DDoS Protection imho
;fingers.co.za]
Sent: Tuesday, October 29, 2002 10:04 AM
To: H. Michael Smith, Jr.
Cc: [EMAIL PROTECTED]
Subject: RE: ICANN Targets DDoS Attacks
Source address verification at access layer and rate limiting icmp
would
be fine starts.
these are best practices and not DDoS Protection imho
Agreed 100%, but Gov't (being run by lawyers) is well accustomed to
defining what the meaning of 'is' is. If they dictate that ISPs employ
DDoS Protection, they will define what DDoS Protection means 'for
the purposes of this policy'.
ah ok
the point I was trying to make is, there are
On Tue, 29 Oct 2002 08:34:22 CST, Peter Salus said:
Expecting ICANN to competently hand these things is
analogous to asking the Captain of the Titanic
about how to handle icebergs.
Actually, it would be more like asking the Captain how to design bridges.
msg06309/pgp0.pgp
Description:
To: fingers
Cc: H. Michael Smith, Jr.; [EMAIL PROTECTED]
Subject: Re: ICANN Targets DDoS Attacks
I would point out that if we were to define it and provide the
definition to the proper authorities, it would go a long way towards
getting a definition that makes sense.
I, (and many others here I would
Source address verification at access layer and rate limiting icmp would
be fine starts.
Why would you like to regulate my ability to transmit and receive data
using ECHO and ECHO_REPLY packets? Why they are considered
harmful?
I´m all for source address verification though.
Pete
On Tue, 29 Oct 2002 22:25:44 +0200, Petri Helenius [EMAIL PROTECTED] said:
Why would you like to regulate my ability to transmit and receive data
using ECHO and ECHO_REPLY packets? Why they are considered
harmful?
Smurf.
msg06314/pgp0.pgp
Description: PGP signature
On Tue, Oct 29, 2002 at 10:25:44PM +0200, Petri Helenius wrote:
Source address verification at access layer and rate limiting icmp would
be fine starts.
Why would you like to regulate my ability to transmit and receive data
using ECHO and ECHO_REPLY packets? Why they are considered
*** REPLY SEPARATOR ***
On 10/29/2002 at 3:40 PM [EMAIL PROTECTED] wrote:
On Tue, 29 Oct 2002 22:25:44 +0200, Petri Helenius [EMAIL PROTECTED]
said:
Why would you like to regulate my ability to transmit and receive
data
using ECHO and ECHO_REPLY packets? Why they are
On Tue, Oct 29, 2002 at 12:48:39PM -0800, Jeff Shultz wrote:
*** REPLY SEPARATOR ***
On 10/29/2002 at 3:40 PM [EMAIL PROTECTED] wrote:
On Tue, 29 Oct 2002 22:25:44 +0200, Petri Helenius [EMAIL PROTECTED]
said:
Why would you like to regulate my ability to
On Tue, Oct 29, 2002 at 01:03:52PM -0800, Jeff Shultz wrote:
On 10/29/2002 at 3:40 PM [EMAIL PROTECTED] wrote:
On Tue, 29 Oct 2002 22:25:44 +0200, Petri Helenius [EMAIL PROTECTED]
said:
Why would you like to regulate my ability to transmit and receive
data
using ECHO and
]
Subject: Re: ICANN Targets DDoS Attacks
On Tue, Oct 29, 2002 at 01:03:52PM -0800, Jeff Shultz wrote:
On 10/29/2002 at 3:40 PM [EMAIL PROTECTED] wrote:
On Tue, 29 Oct 2002 22:25:44 +0200, Petri Helenius
[EMAIL PROTECTED]
said:
Why would you like to regulate my ability to transmit
On Tue, Oct 29, 2002 at 01:24:11PM -0800, Dan Lockwood wrote:
Would anyone be willing to post an operational example of CAR for ICMP.
I would like to see what others are doing to combat the problem.
Dan
rate-limit input access-group 2000 1536000 20 20 conform-action transmit
On Tue, Oct 29, 2002 at 04:31:50PM -0500, Jared Mauch wrote:
On Tue, Oct 29, 2002 at 01:24:11PM -0800, Dan Lockwood wrote:
Would anyone be willing to post an operational example of CAR for ICMP.
I would like to see what others are doing to combat the problem.
Dan
rate-limit input
Hi, NANOGers.
] ICMP?
I have my own thoughts on ICMP filtering, which you will find here:
http://www.cymru.com/Documents/icmp-messages.html
I don't claim to have correct thoughts, however, so input and suggestions
are always welcome. :) If anyone could pick up a NANOG t-shirt for me,
On Tue, Oct 29, 2002 at 06:00:06PM -0500, Ken Chase wrote:
On Tue, Oct 29, 2002 at 04:11:49PM -0500, Jared Mauch's all...
Once again, i'd like to see (other than a performance
checking customer) generate more than 2Mb/s of icmp.echo and icmp.echo-reply
packets that are legit and not
On Tue, Oct 29, 2002 at 09:05:40PM -0500, Jared Mauch wrote:
Please discontinue imagination. You obviously don't understand how
traceroute works by sending udp packets and getting icmp ttl expired
messages back which are not icmp {echo,echo-reply}. Come back when you do
understand
My comment from September 11, 1996 (that's not a typo)
http://www.cctec.com/maillists/nanog/historical/9609/msg00302.html
But what's interesting is Paul Vixie is speaking about a very
narrow requirement, but when it gets translated into government
regulation talk, its very different than where
Meanwhile, U.S. government security officials are discussing the
possibility of creating new regulations that would require federal
agencies to buy Internet service only from ISPs that have DDoS protection
on their networks, according to people familiar with the situation. Such
a
31 matches
Mail list logo
