Re: SYN flood messages flooding my mailbox

[Avi Freedman <freedman () netaxs com>]

> *** Resending note of 09/23/96 18:38
> Subject: Re: SYN flood messages flooding my mailbox
> > Not.  Every entry in the filter contains the following data:
>
> >   [Prefix] [Prefix Length] [Bitmask]
>
> > where bitmask has a bit per every interfaces, so the bit if set if
> > packet matching the prefix is allowed from that interface.
>
> How do you handle the case of an inter-exchange point, with multiple
> BGP neighbors per interface?  The MAE-East NAP is the worst case
> (and not everyone at a NAP is a "transit AS").
>
> If you tried to handle the case of an IXP, wouldn't you have to
> filter based on both interface and MAC address?

> -- Richard Woundy, IBM

I'm starting to think that MAC-address-filtering ability would be
a VERY useful addition for this sort of thing, esp. if it could be
written as:

access 200 deny ip any host 198.7.0.2 src-mac 0000.1111.2222
access 200 permit ip any any

I think this isn't very possible given the IOS architecture;
hopefully I'm wrong.

Avi

- - - - - - - - - - - - - - - - -