|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Re[2]: SYN floods (was: does history repeat itself?)
Alec H. Peterson writes: > > Pat Calhoun writes: > > This is actually quite simple to implement on Dial Access Routers, > > and obviously this is the best place to add the filtering. > > Sure, that's a place to start. Except for a few problems: > > 1) The people doing this are not necessarily using a dialup IP > connection. True. That's why you need to filter upstream of public-access unix boxes (like our own). > 2) Many of us don't have dial access routers that can handle this. Also true. As I said before, I don't know about the Ascends, but I do know that the Xylogics boxes we use have the capability but probably not the capacity. When all ports are connected at 28.8, CPU usage can hover in the high 80% range. Adding filters would probably be a bad idea. That's why I was talking about filtering at a router just upstream from the dial-access box. FWIW, even with a thousand very busy modems, I'm pretty sure that even a small cisco is up to the job. They just don't generate all that much traffic. /a - - - - - - - - - - - - - - - - -
|