On Tue, 4 Sep 2001, Chris Rapier wrote:
Note: We only really start to give a damn when attacks start to suck up more than 20Mbps on its own. Anything less than that is either not worth the hassle or gets lost in the noise. Our position as a GigaPOP eliminates a few potential areas of concern.
That's nice to know. So, If we see <20Mb/s attack from psc.edu, to get your attention and make sure you give a damn about the initial problem, we should counter-attack with 50-60Mb/s or so? Is that the official stance of psc.edu?
I hope he was talking about attacks on him (inbound to him) rather than attacks originating on his network. However, if you ignore a 20Mbps attack, you may wind up launching your own 20Mbps attack unwittingly. For example, if someone sends you spoofed TCP SYN packets, you may respond with an equal number of ICMP unreachable packets, flooding an innocent victim. So you generally cannot ignore 'small' floods, even if they're not harming you. At least, that is, if you care about who you hurt. DS