[54796] in North American Network Operators' Group
Re: Is there a line of defense against Distributed Reflective attacks?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Jan 17 00:29:57 2003
To: hc <haesu@towardex.com>
Cc: Brad Laue <brad@brad-x.com>,
"Christopher L. Morrow" <chris@UU.NET>, nanog@merit.edu
In-Reply-To: Your message of "Fri, 17 Jan 2003 00:03:56 EST."
<3E278EBC.2050803@towardex.com>
From: Valdis.Kletnieks@vt.edu
Date: Fri, 17 Jan 2003 00:23:52 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-775197216P
Content-Type: text/plain; charset=us-ascii
On Fri, 17 Jan 2003 00:03:56 EST, hc said:
> It will help of course, but really not The solution... Or is there one?
In this industry, anybody who advertises The Solution should automatically
be considered a snake oil salesman. There's no One Great Answer, because
there's more than one question. There's a LOT of things that would help:
Ingress filtering
Egress filtering
Clued incident response teams
Systems not shipped insecure by default.
etc etc etc. You've heard them all, I've said them all, they all address
parts of the problem. Nothing addresses all of it.
Ingress/egress filtering would help in some cases of a DDoS packet flood.
Ingress/egress filtering doesn't do squat when Nimda is on a burn.
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
--==_Exmh_-775197216P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE+J5NocC3lWbTT17ARAuH1AKCMAiejA5fJOKze5wYgNj0HsUe8GwCg7rbL
d0BxVPi8AZtOgJw8Qpfc1zY=
=0sj8
-----END PGP SIGNATURE-----
--==_Exmh_-775197216P--
