[47308] in North American Network Operators' Group
Re: Effective ways to deal with DDoS attacks?
daemon@ATHENA.MIT.EDU (Vincent Gillet)
Thu May 2 04:57:36 2002
Date: Thu, 2 May 2002 10:53:24 +0200
From: Vincent Gillet <vgi@zoreil.com>
To: "Christopher L. Morrow" <chris@UU.NET>
Cc: measl@mfn.org, Pete Kruckenberg <pete@kruckenberg.com>,
nanog@merit.edu
Message-ID: <20020502085324.GH27395@opentransit.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <Pine.GSO.4.33.0205020431030.11583-100000@rampart.argfrp.us.uu.net>
Errors-To: owner-nanog-outgoing@merit.edu
chris@UU.NET disait :
> > have been on the receiving end of, the first was generating a little over
> > 300mbit/sec (steady for a prolonged time), and the second went over that by a
> > fair bit. In both cases, we had core equipment (M20's and BSN5000's) fall
> > over and die trying to "work" the events. Additionally, our upstream peers
>
> Your M20 tipped over?? What were you doing? We regularly stop large
> (+100Mb->800Mb) attacks with less horsepower than this. Truthfully, a
> cisco is even capable of filtering (done right) at +200kpps...
On Cisco boxes, it depends too much on Interface type, LC Engine, IOS, ...
etc ...
Beside, some features cannot run concurently (i remumber an ACL on GSR
that make my netflow export stop .... it tooks days to figure this out !!!)
ACL Implement on GSR is too a nightmare.
We are operating more than 70 GSRs with very different interface, LC engine and IOS ...
_some_ IOS with _some_ LC might truthfully filter (turbo, extended, vanilla,
in, out ACLs ?!) .... but there is too many variable in the equation
to get ops people use it for massive anti-DOS purpose !
Vincent.
