[54782] in North American Network Operators' Group
Re: Is there a line of defense against Distributed Reflective attacks?
daemon@ATHENA.MIT.EDU (hc)
Thu Jan 16 23:08:12 2003
Date: Thu, 16 Jan 2003 23:03:12 -0500
From: hc <haesu@towardex.com>
To: "Christopher L. Morrow" <chris@UU.NET>
Cc: Brad Laue <brad@brad-x.com>, nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
--------------090401080508070205000708
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
>
>
>
>Because syn cookies are available on routing gear??? Either way syn
>cookies are not going to keep the device from sending a 'syn-ack' to the
>'originating host'.
>
>
True.. At least it will have some stop in the amount of attacks.
It is quite unfortunate that it is impossible to control the 'ingress'
point of attack flow. Whenever there is a DoS attack, the only way to
drop it is to null route it (the method you have devised) over BGP
peering, but that knocks the victim host off the 'net... :-(
-hc
--------------090401080508070205000708
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
</head>
<body>
<blockquote type="cite"
cite="midPine.GSO.4.33.0301170358110.19744-100000@rampart.argfrp.us.uu.net">
<pre wrap=""><!---->
Because syn cookies are available on routing gear??? Either way syn
cookies are not going to keep the device from sending a 'syn-ack' to the
'originating host'.
</pre>
</blockquote>
True.. At least it will have some stop in the amount of attacks.<br>
<br>
It is quite unfortunate that it is impossible to control the 'ingress' point
of attack flow. Whenever there is a DoS attack, the only way to drop it is
to null route it (the method you have devised) over BGP peering, but that
knocks the victim host off the 'net... :-(<br>
<br>
-hc<br>
<br>
</body>
</html>
--------------090401080508070205000708--