Advanced Countermeasures to prevent a Ddos
Christopher L. Morrow
chris at UU.NET
Fri Jul 20 04:30:24 UTC 2001
On Fri, 20 Jul 2001, Hank Nussbacher wrote:
>
> At 16:38 19/07/01 -0400, you wrote:
>
> It all hinges on your upstream ISPs. The things to ask for are:
>
> - SYN and ICMP rate limiting: If you buy a T3 from your upstream, you
> should ask that they place on *their* peering routers and on the router
> facing you, Cisco rate limits of about 512kb/sec of ICMP and about
> 128kb/sec of SYNs. Pay extra if need be.
This means I only need a modem to synflood your network out of order.
Rate-limits are only worthwhile for 'well behaved' flows, DoS is by
definition NOT well-behaved.
More information about the NANOG
mailing list