North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DDoS Question

  • From: Roland Dobbins
  • Date: Thu Sep 27 20:43:46 2007
  • Authentication-results: hkg-dkim-1; [email protected]; dkim=pass ( sig from cisco.com/hkgdkim1002 verified; );
  • Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=726; t=1190939273; x=1191803273; c=relaxed/simple; s=hkgdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; [email protected]; z=From:=20Roland=20Dobbins=20<[email protected]> |Subject:=20Re=3A=20DDoS=20Question |Sender:=20; bh=dT+vULmY11AcxEnB6WhW2QBaENzERtU36G61PzbSIhY=; b=TZ7Y3WEIxrKUSlMM8rY0a35JiEHhKp6Ab4riXszciVDvsc8ChdqRcWf7oWYlEjgWQrafa+3E 8krjXV4ZW62GEf+v6pI2fhs4dZzG4W3ve+8sRvCWKNhd5sWZpHoVxTo0fQvUxZQ8y2NcO7Qrnb ifiaWs8sVfpZSDJALZBQYHRZs=;


On Sep 28, 2007, at 6:49 AM, Ken Simpson wrote:

You might want to look at some kind of edge email
traffic shaping layer.

So that 'Curtis Blackman' is the only one getting SMTP through to Martin and his customers?

;>

Assuming nothing in the header which could be blocked by S/RTBH or ACLs (or a QoS policy), some of the various DDoS scrubbers available from different vendors may be able to deal with this via the anomalous TCP rates associated with these streams of spam, and/or regexp.

-----------------------------------------------------------------------
Roland Dobbins <[email protected]> // 408.527.6376 voice

I don't sound like nobody.

-- Elvis Presley