[6589] in North American Network Operators' Group
Re: NAP/ISP Saturation WAS: Re: Exchanges that matter...
daemon@ATHENA.MIT.EDU (Tony Li)
Fri Dec 20 22:43:02 1996
Date: Fri, 20 Dec 1996 19:32:58 -0800 (PST)
From: Tony Li <tli@jnx.com>
To: amb@xara.net
CC: amb@xara.net, david@sparks.net, nanog@merit.edu
In-reply-to: <199612202200.WAA26065@diamond.xara.net> (amb@xara.net)
Can I have 2(a) - deal with it statistically and intelligently. TCP/IP
stacks which have got far greater public flak than Cisco's (Solaris 2.4
for instance) do not die when sent 128kb/s of ICMP. As I understand it
11.1 allows access lists based on icmp packet type, and this filtering
is already done off CPU. So "all" the CPU has to do is block ICMPs
from particular hosts, or (even) ICMP at all, if it is being flooded.
You can have anything you like ... at Alice's Restaurant.
;-)
Assuming we're still talking about a 7010, I suspect that you could do
incoming ICMP filtering in the SSE and discard those. But then the bad
guys simply attack your BGP port to circumvent your filters. And the
filters are not intelligent enough to perform the authentication
computation.
I'm surprised it's as low as 128kb/s. It should be more around 2kpps. Not
that this is a stretch. ;-)
I did. They said "the problem doesn't exist".
What? And you didn't believe them? ;-)
I suspect that a better approach is to contact the people with clue
directly.... it sounds like you went through TAC.
Tony
