It's not that I don't want to protect my customers. But, most of them are ISPs, who are doing web hosting and the like. They find out that a warez ftp site is on their network, most likely consuming a ton of bandwidth, and to protect themselves, they boot the guy. Usually, warez guys have methods to retaliate. Jeez, anyone with a web browser and a C compiler can launch a land.c attack! I am very willing to help my customers, but there is a tradeoff in terms of what it costs me. If it is a good customer, or more importantly, a big one, then I will write a 200 line access list, no problem! But say I implement this type of service for a few customers, and word spreads that we are doing it, then everyone wants that type of service. How many of you out there have 50, 60, 80 + extended access lists on your border routers? What if I go over 99? Get IOS 11.2? This has been my point all along. creating an access list and applying it to a BGP distribute list on my outbound advertisements solves the attack problem, but that is useless because the customer cannot get out to the Internet( cannot be reached from, actually). NetFlow is a viable tracking tool, however, I still need help from my peers. Say it comes from one ISP, who delivers it to, say, MAE-West, where it is picked up and carried over to MAE-East, picked up again and dropped of over here. Tha is four providers, four NOCs to tassle with, to catch an attack that lasts usually no more than an hour. I suppose my biggest question was this. Has anyone got themselves into a hole by providing ICMP filtering on their routers to protect downstream customers, be it in terms of manageability, processor overhead, packet discarding. Also, where is the best place to do this, ingress, egress, or a combination? Do buffers need to be increased? What about queueing strategy? How does NetFlow affect access-list processing? I know these questions may be best answered by Cisco, but I want some real answers, from real people in the field. No offense to any Cisco employees, but you do have a company bias, just as we all do. Guys, thanks for all of the replies. You've all been a great help!!!! -Chris Jain Depak wrote
Why not just filter all ping traffic to his T1 until the attack subsides?
Christian Martin replied
That is what I am going to do. But with over 100 downstream customers, and IOS 11.1 (sans named access lists) I don't want to start a precedent.
You don't want to start a precedent of protecting customers from DoS attacks? -- Steve Sobol, Tech Support Guru, NACS.NET [http://www.nacs.net/support] (The address I use on Usenet is a valid address - don't try to unmunge it!) Moderator, alt.religion.afterburner [http://antispam.nstc.com/ara] 1997 AL and 1998 World Series Champions: [http://www.indians.com]