|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Effective ways to deal with DDoS attacks?
On Mon, May 06, 2002 at 05:39:05AM +0000, Christopher L. Morrow wrote: > > Perhaps I'm confused (which is likely in this case) but if the traffic is > being transitted by 2 or 3 as's before it gets to me through 'default' > routing how am I to know it was coming? You're talking about packets received from the internet, he's talking about packets received from your customers. > Any access-list of any length severly impacts edge performance, if it > works at all, and puts the network at risk. This is not dogma, this is > proven time and again on a large operational network. They are never > placed for 'permanent' reasons. It is expected that customers will > properly handle their traffic... yes they don't always do it, but it is > expected. It all depends on a) whats your equipment, and b) what do you define as an edge. If your edge is a T1 things are a lot different than if your edge is GigE and you have to use "core" (for the definition of core which means not providing features to compete on performance, and explaining it by telling you that you shouldn't need those features) equipment to provide it. > Compiled access lists? Wow, you are a braver man than I. My experience > with them has been 'sub optimal' to say the least. Where known traffic > flows and known patterns, with reasonable route table sizes, are > available compiled acls work fine. The internet is none of these :( If everyone who had been burnt by a Crisco bug in a certain feature never used that feature again, there would be no features. That said, compiled access-lists work fine for me. :) > How large is your edge? Do you have routers with +900 interfaces? > Management of acls on interfaces, even if the gear were to support it, > isn't feasible, nor is just dropping in an E3 card a solution, acls > don't work reliably on E3 cards :( E2 cards are just as fun :( the > really fun part comes with the 'limited' route table incurred with PSA > acls on E2 cards! If your vendor isn't providing you with working products, find a new vendor. I'm not going to touch that config with a 10ft cattle prod though, it better be automatically generated. That brings it down to the same level of distasteful tolerance for the good of the internet as script generated prefix lists. :) -- Richard A Steenbergen <[email protected]> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
|