[45108] in North American Network Operators' Group
Re: Growing DoS attacks
daemon@ATHENA.MIT.EDU (Vincent Gillet)
Thu Jan 17 04:07:06 2002
Date: Thu, 17 Jan 2002 10:05:45 +0100
From: Vincent Gillet <vgi@zoreil.com>
To: Jared Mauch <jared@puck.Nether.net>
Cc: nanog@merit.edu
Message-ID: <20020117090545.GB8236@opentransit.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <20020116235101.GA30436@puck.nether.net>
Errors-To: owner-nanog-outgoing@merit.edu
jared@puck.Nether.net disait :
> Something that people may want to consider doing is
> that assuming you are using hardware/software that can support
> rate-limit of specific packet types/rates, you could
> generate some rate-limits to limit specific types of traffic
> to various ranges.
rate-limite and/or traffic filtering may be available on some
box (GSR) but cannot run concurently with other feature (NetFlow).
That is the biggest problem i see trying to put ACL or rate-limite
on GSR boxes. I think the Cisco is working on it.
Output ACL on some GSR linecard (engine 0/1 i think) make Netflow
inactive on _all_ line card :-((
Thus, we cannot put any ACL nor rate-limit on customer connected on GSR
boxes .... and it is hard to explain to customer that this is because
of vendor limitation !!!
The only tool available for these Customers is blackhole for identified
/32 .... bad granularity !
Vincent.
