[13894] in bugtraq
Re: DDOS Attack Mitigation
daemon@ATHENA.MIT.EDU (Carson Gaspar)
Thu Feb 17 11:57:17 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <14505.59758.618097.132918@taltos.tla.org>
Date: Tue, 15 Feb 2000 19:03:58 -0500
Reply-To: carson@tla.org
From: Carson Gaspar <carson@TLA.ORG>
X-To: Alan Brown <alan@MANAWATU.GEN.NZ>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.05.10002150711250.6393-100000@mailhost.manawatu.net.nz>
>>>>> "Alan" == Alan Brown <alan@MANAWATU.GEN.NZ> writes:
Alan> On Sun, 13 Feb 2000, Darren Reed wrote:
>> You know if anyone was of a mind to find someone at fault over this,
>> I'd start pointing the finger at ISP's who haven't been doing this
>> due to "performance reasons".
Alan> To be fair, if you do this on most terminal servers (eg, Cisco 5300, Max
Alan> 4000), they will collapse under the load.
What!? What did you try, applying ACLs to every modem line?
A _sufficient_ defense is to apply an outbound access list on the
network interface of the terminal server, permiting sources of all subnets
served by that terminal server and denying all other source IP
addresses. This is a _very_ small ACL, and it's fast-path. If that's enough
to cause the router to collapse, it had zero headroom to start with, and was
about to become a boat anchor.
--
Carson Gaspar -- carson@tla.org carson@cs.columbia.edu carson@cugc.org
http://www.cs.columbia.edu/~carson/home.html
Queen Trapped in a Butch Body
