New Denial of Service Attack on Panix

Dima Volodin dvv at sprint.net
Thu Oct 3 12:40:57 UTC 1996


And if everyone doesn't make any attacks we won't have any problems
either. To rephrase - relying on ingress filtering is putting your
security in someone other's hands, doing host-based stuff is protecting
yourself with your own hands. To rephrase once again - doing ingress
filtering is "being conservative with what you produce", being able to
cope with SYN floods on the host level is "being liberal on what you
accept." We need both, and overemphasising one side of the solution will
do a lot of harm.


Dima

Paul Ferguson writes:
> 
> Well, that's true, but it's a different facet of the same problem.
> The draft only attempts to solve what it is that we can solve be
> ingress filtering. Solutions using firewalls or proxy devices which
> defat this type of attack are a Good Thing, but if everyone does
> ingress filtering, a large percentage of this problem disappear.
> 
> - paul
> 
> >Thus host-(and firewall-)based solutions are at least as important as
> >the ingress filtering.
> >
> >As of the evidence of these attacks - they were evident long before the
> >current talking.
> >
> >Dima
> 
> 






More information about the NANOG mailing list