In addition to egress filtering, do try to configure your current
infrastructure to survive a direct attack as long as possible by:
- properly configuring Cisco QoS
- change default route cache algorithm to Cisco Express Forwarding (CES)
as it is optimized for short duration, dynamic traffic
- where possible, implement reflexive filtering rules as opposed to
vanilla ACLs
- Tune the command scheduler timing, so that when under direct attack, the
device is not spending more time responding to interrupts than routing
- where possible, implement tcp-intercept rules
Not intended to be a complete list of things to do, but should set one on
the right path.
ttyl,
_________________________________________
John Daniele
Technical Security & Intelligence
Toronto, ON
Voice: (416) 605-2041
E-mail: [EMAIL PROTECTED]
Web: http://www.tsintel.com
On Sat, 2 Feb 2002 [EMAIL PROTECTED] wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Glen,
>
> If it's DoS that you're specically worried about one thing that you could implement
>to help mitigate the risk is egress filtering. I've included a couple of resouces
>that may be of help.
>
> http://www.sans.org/dosstep/
> http://www.mitre.org/research/cyber/DDOS/
>
> cheers,
> gattaca
>
> - ----------------
> liquidmatrix.Org
> - ----------------
>
>
>
>
>
>
> Hush provide the worlds most secure, easy to use online applications - which
>solution is right for you?
> HushMail Secure Email http://www.hushmail.com/
> HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
> Hush Business - security for your Business http://www.hush.com/
> Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/
>
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wlwEARECABwFAjxcMagVHGdhdHRhY2FAaHVzaG1haWwuY29tAAoJED1qYAupECclhiEA
> oL8PQXgLzLIGdvcKhLvascpPlVOtAJ488DM5bI0N/u3YXe838OEmSscTEg==
> =3Erq
> -----END PGP SIGNATURE-----
>
>
