Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T

Erik Haagsman erik at we-dare.net
Thu Jun 3 08:55:14 UTC 2004


On Wed, 2004-06-02 at 19:32, Jeff Aitken wrote:
> On Wed, Jun 02, 2004 at 06:00:38PM +0200, Erik Haagsman wrote:
> > Only very small ISPs relying on 36xx's or multilayer switching instead
> > of larger, more powerful might be still valid cases where ACL's are a
> > problem. 
> 
> Interesting assertion.  Care to support it?

It's not unusual for smaller ISP's and small hosting companies to rely
on low-spec equipment that can just deal with normal traffic flows, but
start falling apart when a traffic spike hits and access lists are
present. As an example, take a lower end IronCore Foudry switch with a
management II or III and make a comparison between the impact a DoS has
with and without access lists present. Altough it's still 
depending on exact network topology and the type of traffic, it's
usually a difference of night and day performance wise, and the absence
or presence of access-lists can mean the difference between keeping the
network running while under attack and having it fall over, especially
since all access list handling is taken care of by the CPU. This isn't
the case for anyone anywhere that uses this type of equipment, but I can
understad smaller networks with smaller budgets and equipment running
close to their max hesitance to put access lists and filtering polcies
in place. On the other hand, the smaller the network, the smaller the
amount of actual filters needed, so you might wonder if that's even a
reason not to filter.

Cheers,


-- 
---
Erik Haagsman
Network Architect
We Dare BV
tel: +31(0)10 7507008
fax:+31(0)10 7507005
http://www.we-dare.nl





More information about the NANOG mailing list