[4264] in North American Network Operators' Group
Re: Re[2]: SYN floods (was: does history repeat itself?)
daemon@ATHENA.MIT.EDU (Alexis Rosen)
Tue Sep 10 14:13:31 1996
From: Alexis Rosen <alexis@panix.com>
To: chuckie@panix.com (Alec H. Peterson)
Date: Tue, 10 Sep 1996 14:07:03 -0400 (EDT)
Cc: pcalhoun@usr.com, nanog@merit.edu, perry@piermont.com
In-Reply-To: <199609101213.IAA00740@panix4.panix.com> from "Alec H. Peterson" at Sep 10, 96 08:13:11 am
Alec H. Peterson writes:
>
> Pat Calhoun writes:
> > This is actually quite simple to implement on Dial Access Routers,
> > and obviously this is the best place to add the filtering.
>
> Sure, that's a place to start. Except for a few problems:
>
> 1) The people doing this are not necessarily using a dialup IP
> connection.
True. That's why you need to filter upstream of public-access unix boxes
(like our own).
> 2) Many of us don't have dial access routers that can handle this.
Also true. As I said before, I don't know about the Ascends, but I do know
that the Xylogics boxes we use have the capability but probably not the
capacity. When all ports are connected at 28.8, CPU usage can hover in
the high 80% range. Adding filters would probably be a bad idea.
That's why I was talking about filtering at a router just upstream from
the dial-access box.
FWIW, even with a thousand very busy modems, I'm pretty sure that even a
small cisco is up to the job. They just don't generate all that much traffic.
/a
