[7715] in North American Network Operators' Group
Re: karl and paul, expostulating
daemon@ATHENA.MIT.EDU (Justin W. Newton)
Thu Feb 20 16:33:10 1997
Date: Thu, 20 Feb 1997 16:28:02 -0500
To: Paul A Vixie <paul@vix.com>, nanog@merit.edu
From: "Justin W. Newton" <justin@erols.com>
At 07:23 PM 2/19/97 -0800, Paul A Vixie wrote:
Wahoo, a nanog issue :)
>> Filtering by connection to the SMTP port, based on source address, very
>> definitely DOES work.
>
>Filtering packets based on source address makes Ciscos go way slow on
>every packet. Filtering based on destination address makes Ciscos go
>very fast on most packets and a little slower on SYN-ACKs.
If you enable flow switching it adds little overhead to the box. On a 7505
with 2 sets of full routes and another partial set of routes (and all of
the updates associated), that pushes some pretty significant traffic, I am
filtering approx 25M/sec of data with 25k long extended access list. The
total CPU load on the box is approximately 35%. Oh yeah, the box is also
the DR for area 0 of a fairly large OSPF network (approximately 3k routes).
Before flow switching was enabled we were running at 80% or so (not for
more than a few minutes before we enabled flow switching though).
>Sez you. I'd ordinarily expect you to love the idea of "if you don't play
>by my rules I will start my own Internet without you on it."
Go ahead and do so, but not with public resources.
>And, again, wrong. I want spammers to spend 75 seconds of TCP PCB time on
me.
>By blackholing SYN-ACKs and not sending them ICMPs, they lose capacity that
>they could otherwise spend spamming other people. I call this "fighting
>dirty."
Is having them time out on DNS requests so that their entire system runs
slower fighting dirty as well?
>I operate a cooperative resource. I will not have it used against me.
What kind of a port adapter do you need so as not to have to filter the
traffic to the root name server?
Justin Newton
Network Architect
Erol's Internet Services
