Is there a line of defense against Distributed Reflective attacks?
hc
haesu at towardex.com
Fri Jan 17 04:03:12 UTC 2003
>
>
>
>Because syn cookies are available on routing gear??? Either way syn
>cookies are not going to keep the device from sending a 'syn-ack' to the
>'originating host'.
>
>
True.. At least it will have some stop in the amount of attacks.
It is quite unfortunate that it is impossible to control the 'ingress'
point of attack flow. Whenever there is a DoS attack, the only way to
drop it is to null route it (the method you have devised) over BGP
peering, but that knocks the victim host off the 'net... :-(
-hc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20030116/4a974023/attachment.html>
More information about the NANOG
mailing list