North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: NAP/ISP Saturation WAS: Re: Exchanges that matter...
On Fri, 20 Dec 1996, Alex.Bligh wrote: > > > I think that there's some lack of clarity on the problem here. Anyone can > > stream packets at ANY router and take it down. If it's not ICMP, you can > > simply forge routing protocol packets. It's a question of simply > > supersaturating the system. To truly deal with DoS attacks, there are > > basically three approaches: > > Indeed. For instance SYN-flood the BGP port. Correct me if I'm wrong but to the best of my recollection, in order for a packet to be accepted on the BGP port, it must be originating from a configured BGP peer. Since the SYN flood method relies on the attack originating from an unreachable (yet routable) address, it would seem that this approach will fail. rfc-1771: If the local system detects that a remote peer is trying to establish BGP connection to it, and the IP address of the remote peer is not an expected one, the local system restarts the ConnectRetry timer, rejects the attempted connection, continues to listen for a connection that may be initiated by the remote BGP peer, and stays in the Active state. -Ophir - - - - - - - - - - - - - - - - -