North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Effective ways to deal with DDoS attacks?
On Wed, May 01, 2002 at 11:56:07PM -0600, Pete Kruckenberg wrote: > > On Thu, 2 May 2002, Richard A Steenbergen wrote: > > > You have an interesting situation. I think rate limiting > > outbound RSTs would be the least offensive thing you > > could do, off the top of my head. > > What about just blocking out-going RSTs altogether from our borders? > While this interferes with "proper" TCP functionality, would it actually > interfere enough to cause noticeable problems? Would certainly be less > of a burden on routers than rate-limiting. If you really wanted to try you could probably get away with it, but you'll probably get complaints about broken behavior during "peacetime". I'd still advise a rate limit, say something on the order of 512Kbps or less depending on your pipe, and outbound TCP RST. If this makes your routers fall over, you need new routers. -- Richard A Steenbergen <[email protected]> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
|