[27258] in North American Network Operators' Group
Re: [Re: Which Part(s) Failed in the recent DOS Attacks?]
daemon@ATHENA.MIT.EDU (Richard Steenbergen)
Thu Feb 10 16:05:17 2000
Date: Thu, 10 Feb 2000 15:54:04 -0500
From: Richard Steenbergen <ras@above.net>
To: Joe Shaw <jshaw@insync.net>
Cc: Toplez Razer <z28convertible@usa.net>, nanog@merit.edu
Message-ID: <20000210155404.L24338@above.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <Pine.GSO.4.21.0002092332010.28241-100000@vellocet.insync.net>; from Joe Shaw on Wed, Feb 09, 2000 at 11:37:36PM -0600
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, Feb 09, 2000 at 11:37:36PM -0600, Joe Shaw wrote:
>
>
> On 9 Feb 2000, Toplez Razer wrote:
>
> > Joe,
> > Firewall-1 has the SynDefender and Cisco IOS 12.0 has TCP Intercept for
> > stopping TCP DOS. Could these features stop massive TCP DOS attacks?
>
> Both could possibly help, but when you're dealing with 800Mbps, which is
> how much traffic was reported in the Yahoo DoS, filters don't matter. The
> problem is, you fill up the pipes and it doesn't matter that the router or
> the firewall drops the packets because legitimate traffic can't get
> through. If the attacks were smaller directed attacks you'd have a better
> chance of defending yourself, but with these new DDoS attacks it makes it
> next to impossible unless you're a Tier1 or your Tier1 will actively
> filter. That's what makes them so devestating right now.
GlobalCenter has that kind of pipe, if you can filter out the bad traffic
from the good. With smurfs its easy, icmp echo-reply is not a "necessary"
packet type. With SYN/ACK floods its not so easy. But then again the day I
see an 800Mbps SYN flood is the day I throw in the towel and go home.
--
Richard A. Steenbergen <ras@above.net> http://users.quadrunner.com/humble
PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB)
MFN / AboveNet Communications Inc - ISX Network Engineer, Vienna VA
