Re: [Re: Which Part(s) Failed in the recent DOS Attacks?]

[Richard Steenbergen <ras () above net>]

On Wed, Feb 09, 2000 at 11:37:36PM -0600, Joe Shaw wrote:
> On 9 Feb 2000, Toplez Razer wrote:
>
> > Joe,
> > Firewall-1 has the SynDefender and Cisco IOS 12.0 has TCP Intercept for
> > stopping TCP DOS.  Could these features stop massive TCP DOS attacks?
>
> Both could possibly help, but when you're dealing with 800Mbps, which is
> how much traffic was reported in the Yahoo DoS, filters don't matter.  The
> problem is, you fill up the pipes and it doesn't matter that the router or
> the firewall drops the packets because legitimate traffic can't get
> through.  If the attacks were smaller directed attacks you'd have a better
> chance of defending yourself, but with these new DDoS attacks it makes it
> next to impossible unless you're a Tier1 or your Tier1 will actively
> filter.  That's what makes them so devestating right now.

GlobalCenter has that kind of pipe, if you can filter out the bad traffic
from the good. With smurfs its easy, icmp echo-reply is not a "necessary"
packet type. With SYN/ACK floods its not so easy. But then again the day I
see an 800Mbps SYN flood is the day I throw in the towel and go home.

-- 
Richard A. Steenbergen <ras () above net>  http://users.quadrunner.com/humble
PGP Key ID: 0x60AB0AD1  (E5 35 10 1D DE 7D 8C A7  09 1C 80 8B AF B9 77 BB)
MFN / AboveNet Communications Inc - ISX Network Engineer, Vienna VA