On Thu, 28 Jun 2001, ASV wrote:
Does anyone have a list of which ISPs are willing to filter ICMP packets for you when your network is being (D)DoS'd, and which prefer to simply blackhole / disconnect you, and which will do absolutely nothing??
I'm finding it hard to gather this information and it occured to me that this is an obvious factor when choosing an ISP!
There are two kinds of icmp. The kind you absolutely need and the kind you don't. If you are running a service that is likely to get attention (dunno, an irc server or not universally liked content), you will want to filter the kind you do no don't absolutely need by default. Not that this helps you in any way, DoS attacks rarely use icmp these days. Lots of 'valid' packets is the keyword today. If you are being hammered by tcp packets on port 80 of your webserver, there is very little you can do but filter _real_ traffic. If it's a DDoS, being able to distinguish real traffic from the DoS-attack is going to be a pain. You will not find many providers who want to dig this deep at this point in time. Best service you can get to keep the rest of your network from falling down because of that one host is then to get it blackholed upstream. In the current atmosphere, the only real protection you can buy against Denial-of-Service attacks is by distributing your service. If you are distributed and they are distributed, the odds are better; You can sacrifice a host under attack without losing service. Hope that helps, Pi