|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: karl and paul, expostulating
At 07:23 PM 2/19/97 -0800, Paul A Vixie wrote: Wahoo, a nanog issue :) >> Filtering by connection to the SMTP port, based on source address, very >> definitely DOES work. > >Filtering packets based on source address makes Ciscos go way slow on >every packet. Filtering based on destination address makes Ciscos go >very fast on most packets and a little slower on SYN-ACKs. If you enable flow switching it adds little overhead to the box. On a 7505 with 2 sets of full routes and another partial set of routes (and all of the updates associated), that pushes some pretty significant traffic, I am filtering approx 25M/sec of data with 25k long extended access list. The total CPU load on the box is approximately 35%. Oh yeah, the box is also the DR for area 0 of a fairly large OSPF network (approximately 3k routes). Before flow switching was enabled we were running at 80% or so (not for more than a few minutes before we enabled flow switching though). >Sez you. I'd ordinarily expect you to love the idea of "if you don't play >by my rules I will start my own Internet without you on it." Go ahead and do so, but not with public resources. >And, again, wrong. I want spammers to spend 75 seconds of TCP PCB time on me. >By blackholing SYN-ACKs and not sending them ICMPs, they lose capacity that >they could otherwise spend spamming other people. I call this "fighting >dirty." Is having them time out on DNS requests so that their entire system runs slower fighting dirty as well? >I operate a cooperative resource. I will not have it used against me. What kind of a port adapter do you need so as not to have to filter the traffic to the root name server? Justin Newton Network Architect Erol's Internet Services - - - - - - - - - - - - - - - - -
|