North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Is there a line of defense against Distributed Reflective attacks?

  • From: Valdis.Kletnieks
  • Date: Fri Jan 17 00:31:21 2003

On Fri, 17 Jan 2003 00:03:56 EST, hc said:
> It will help of course, but really not The solution... Or is there one?

In this industry, anybody who advertises The Solution should automatically
be considered a snake oil salesman.  There's no One Great Answer, because
there's more than one question.  There's a LOT of things that would help:
 
Ingress filtering
Egress filtering
Clued incident response teams
Systems not shipped insecure by default.

etc etc etc.  You've heard them all, I've said them all, they all address
parts of the problem.  Nothing addresses all of it.

Ingress/egress filtering would help in some cases of a DDoS packet flood.

Ingress/egress filtering doesn't do squat when Nimda is on a burn.
-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

Attachment: pgp00008.pgp
Description: PGP signature