[4668] in North American Network Operators' Group
Re: SYN flood messages flooding my mailbox
daemon@ATHENA.MIT.EDU (Avi Freedman)
Mon Sep 23 23:13:33 1996
From: Avi Freedman <freedman@netaxs.com>
To: rwoundy@VNET.IBM.COM
Date: Mon, 23 Sep 1996 22:35:41 -0400 (EDT)
Cc: avg@quake.net, curtis@ans.net, nanog@merit.edu
In-Reply-To: <199609240210.WAA05403@merit.edu> from "rwoundy@VNET.IBM.COM" at Sep 23, 96 10:10:58 pm
> *** Resending note of 09/23/96 18:38
> Subject: Re: SYN flood messages flooding my mailbox
> >Not. Every entry in the filter contains the following data:
>
> > [Prefix] [Prefix Length] [Bitmask]
>
> >where bitmask has a bit per every interfaces, so the bit if set if
> >packet matching the prefix is allowed from that interface.
>
> How do you handle the case of an inter-exchange point, with multiple
> BGP neighbors per interface? The MAE-East NAP is the worst case
> (and not everyone at a NAP is a "transit AS").
>
> If you tried to handle the case of an IXP, wouldn't you have to
> filter based on both interface and MAC address?
> -- Richard Woundy, IBM
I'm starting to think that MAC-address-filtering ability would be
a VERY useful addition for this sort of thing, esp. if it could be
written as:
access 200 deny ip any host 198.7.0.2 src-mac 0000.1111.2222
access 200 permit ip any any
I think this isn't very possible given the IOS architecture;
hopefully I'm wrong.
Avi
