Re: Cisco IOS to defend against dod/ddos

[Gareth Fletcher <gareth.fletcher () gmail com>]

Unless its a ddos on some network service, it's the same situation and  
you'll still be getting ddosed. Your upstream provider would be more  
equipped to mitigate these (it may also be their responsibility, and  
they could escalate to their peers to stop it further upstream etc).

Cheers
G

On 21/10/2008, at 5:50 AM, "Michael Condon" <admin () singulartechnologysolutions com 
> wrote:

> What about the case where the client operates their own router  
> instead of having a managed router? Or are you saying that this  
> should be implemented further downstream?
> ----- Original Message ----- From: "Richard Golodner" <rgolodner () infratection com 
> >
> To: "'Michael Condon'" <admin () singulartechnologysolutions com>
> Sent: Monday, October 20, 2008 11:11 AM
> Subject: RE: Cisco IOS to defend against dod/ddos
>
>
> > Michael, Cisco builds DDoS mitigation hardware, but it is very  
> > expensive.
> > Your best bet is to speak with your upstream providers in order to  
> > stop this
> > type of attack. The packet is dropped at your router's interface  
> > when using
> > ACL's which means you are already DDossed.
> >
> >     most sincerely, Richard
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com 
> > ] On
> > Behalf Of Michael Condon
> > Sent: Saturday, October 18, 2008 9:56 PM
> > To: security-basics () securityfocus com
> > Subject: Cisco IOS to defend against dod/ddos
> >
> > Does anyone have examples of Cisco IOS that will defend against
> > dos/ddos/malformed packet attacks by
> > denying access to the sending IP address(es)?
> > Can this also be done for port scans?
> > Can it be done on Routers, PIX Firewalls/Cisco ASA?