North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Advanced Countermeasures to prevent a Ddos
On Fri, 20 Jul 2001, Hank Nussbacher wrote: > > At 16:38 19/07/01 -0400, you wrote: > > It all hinges on your upstream ISPs. The things to ask for are: > > - SYN and ICMP rate limiting: If you buy a T3 from your upstream, you > should ask that they place on *their* peering routers and on the router > facing you, Cisco rate limits of about 512kb/sec of ICMP and about > 128kb/sec of SYNs. Pay extra if need be. This means I only need a modem to synflood your network out of order. Rate-limits are only worthwhile for 'well behaved' flows, DoS is by definition NOT well-behaved.
|