[54871] in North American Network Operators' Group
Re: FW: Re: Is there a line of defense against Distributed Reflective
daemon@ATHENA.MIT.EDU (Rob Thomas)
Sun Jan 19 14:25:37 2003
Date: Sun, 19 Jan 2003 13:25:03 -0600 (CST)
From: Rob Thomas <robt@cymru.com>
To: NANOG <nanog@merit.edu>
In-Reply-To: <20030119093810.017058d8.jullrich@euclidian.com>
Errors-To: owner-nanog-outgoing@merit.edu
Hi, NANOGers.
] The rest could be handled with a simple IDS (doesn't even need
] to match patterns... just count packets going to 27374 and the like)
There is no "simple IDS" for OC48+ links. :) Counters are possible,
though adding that many ACLs can be more than burdensome on certain
code and hardware releases. Don't even mention logging. :/ While
some ports are more obvious than others, there is still the question
of what is in the payload of a packet that increments a counter. It
may be quite benign, e.g. a SYN packet to port 80 from source port
27374.
At the edge some of these things are quite possible. At aggregation
and transit points, however, such suggestions don't scale.
] I keep saying ISPs would be much better off if they implement these
] filters. But not all of them agree. IMHO: less 'zombies' -> better
] service -> less support phonecalls.
I agree.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
