NAP/ISP Saturation WAS: Re: Exchanges that matter...
tli at jnx.com
Sat Dec 21 03:32:58 UTC 1996
Can I have 2(a) - deal with it statistically and intelligently. TCP/IP
stacks which have got far greater public flak than Cisco's (Solaris 2.4
for instance) do not die when sent 128kb/s of ICMP. As I understand it
11.1 allows access lists based on icmp packet type, and this filtering
is already done off CPU. So "all" the CPU has to do is block ICMPs
from particular hosts, or (even) ICMP at all, if it is being flooded.
You can have anything you like ... at Alice's Restaurant.
Assuming we're still talking about a 7010, I suspect that you could do
incoming ICMP filtering in the SSE and discard those. But then the bad
guys simply attack your BGP port to circumvent your filters. And the
filters are not intelligent enough to perform the authentication
I'm surprised it's as low as 128kb/s. It should be more around 2kpps. Not
that this is a stretch. ;-)
I did. They said "the problem doesn't exist".
What? And you didn't believe them? ;-)
I suspect that a better approach is to contact the people with clue
directly.... it sounds like you went through TAC.
More information about the NANOG