North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: NAP/ISP Saturation WAS: Re: Exchanges that matter...

  • From: Tony Li
  • Date: Fri Dec 20 22:39:56 1996

   Can I have 2(a) - deal with it statistically and intelligently. TCP/IP
   stacks which have got far greater public flak than Cisco's (Solaris 2.4
   for instance) do not die when sent 128kb/s of ICMP. As I understand it
   11.1 allows access lists based on icmp packet type, and this filtering
   is already done off CPU. So "all" the CPU has to do is block ICMPs
   from particular hosts, or (even) ICMP at all, if it is being flooded.

You can have anything you like ... at Alice's Restaurant.

;-)

Assuming we're still talking about a 7010, I suspect that you could do
incoming ICMP filtering in the SSE and discard those.  But then the bad
guys simply attack your BGP port to circumvent your filters.  And the
filters are not intelligent enough to perform the authentication
computation.

I'm surprised it's as low as 128kb/s.  It should be more around 2kpps.  Not
that this is a stretch.  ;-)

   I did. They said "the problem doesn't exist". 

What?  And you didn't believe them? ;-)

I suspect that a better approach is to contact the people with clue
directly....  it sounds like you went through TAC.

Tony




- - - - - - - - - - - - - - - - -