[27191] in North American Network Operators' Group
Re: [Re: Which Part(s) Failed in the recent DOS Attacks?]
daemon@ATHENA.MIT.EDU (Richard Steenbergen)
Wed Feb 9 23:20:40 2000
Date: Wed, 9 Feb 2000 23:17:14 -0500
From: Richard Steenbergen <ras@above.net>
To: Toplez Razer <z28convertible@usa.net>
Cc: Joe Shaw <jshaw@insync.net>, nanog@merit.edu
Message-ID: <20000209231714.G24338@above.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <20000210040519.16006.qmail@nw177.netaddress.usa.net>; from Toplez Razer on Tue, Mar 18, 2036 at 03:33:35AM -0700
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, Mar 18, 2036 at 03:33:35AM -0700, Toplez Razer wrote:
>
> Joe,
> Firewall-1 has the SynDefender and Cisco IOS 12.0 has TCP Intercept for
> stopping TCP DOS. Could these features stop massive TCP DOS attacks?
Not a chance in hell. Anything short of a GSR has problems forwarding or
flat out dropping (supprisingly often times you get better performance
from CAR then an acl deny) the number of packets/sec, Packet inspection,
especially of the involved nature of TCP Intercept, is totally useless for
attacks of this size. TCP Intercept performance is closer to that of a
unix machine with a protected kernel, it will do better then the original
kernels back in the day when PANIX was DoS'd by dialup-speed floods,
actually it will compete with a very strong unix box running top notch
code that still has to process the SYN and attempt a connection, but thats
still at least an order of magnitude too little...
--
Richard A. Steenbergen <ras@above.net> http://users.quadrunner.com/humble
PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB)
MFN / AboveNet Communications Inc - ISX Network Engineer, Vienna VA
