[4408] in North American Network Operators' Group
Re: SYN floods (was: does history repeat itself?)
daemon@ATHENA.MIT.EDU (alex@relcom.eu.net)
Mon Sep 16 09:24:17 1996
Date: Mon, 16 Sep 96 17:11:16 +0400
To: avg@quake.net, jhall@rex.isdn.net
Cc: alex@relcom.eu.net, curtis@ans.net, nanog@merit.edu, perry@piermont.com
From: alex@relcom.eu.net
> -->(Note that reverse filters i described do _not_ require that the route
> -->back must be best. It just have to be present in the RIB corresponding
> -->to exterior routing session over the interface in question.)
> -->
> You may not have said it, but I remember someone said the route had to be
> in the routing table. I would agree with you if it looked up the source
> in the BGP table and if it considered history or dampened paths valid. If
> your asymetry runs over multiple interfaces, then the best path might not
> be on the interface the packet is arriving on.
This behaviour is USEFULL in any case. If we can filter SRC addresses only in
accordance with routing table - we'll prevent attackes from our direct customers.
If this filtering will work in acordance with the total routing table (not best
routes only) - OR, we'll prevent attack from some small ISP there too. But
anyway this mechanism will work if it'll be available for us.
I never wrote we can prevent attack via other big ISP if they would not
support this filtering. But if Cisco'll incorporate this in _provider_
revision - I think most of ISP will use this mechanism in near future.
(it depends of extra CPU and memory it'll use certainly).
---
Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
