On Mon, 04 Jun 2001 12:20:41 EDT, Paul Johnson <pjohnson@bosconet.org> said:
Two NSPs should rate limit DoS traffic (ICMP & SYNs) within their networks in such a way that it can never DoS a T-1 (or E-1 if you are not in the US). [note: I'm not sure if ciso's are up for this workload since I primarily work with Juniper.]
Hmm.. I'd be *REALLY* unhappy if our upstream decided to rate-limit SYN packets to prevent a DoS of a T-1, since the smallest pipe we have deployed is in the OC-3 category. The problem is that a *distributed* DOS effectively bypasses this sort of check - you have (for instance) 1000 zombie machines, each contributing only a few packets per second. So none of THEM gets filtered. Each ISP may have only 3-4 zombies, so even aggregated they don't trigger a filter. Nothing trips a filter, until it gets loose inside a Tier-1, with traffic converging on one outbound pipe to the victim from 8 or 10 different peering points. And at THAT point, it's too late. Valdis Kletnieks Operating Systems Analyst Virginia Tech