Re: smurf's attack..i

[Hank Nussbacher <hank () ibm net il>]

At 02:40 PM 9/5/97 -0700, Steve Noble wrote:
> If you are going to filter, you can just filter ICMP for now, thats the
> major protocol used in the attack, that way you are only slightly
> affecting those who might have a .255 address on one of their machines.

We instead limit the rate of ICMP to 30kb/sec over our T1 line, thereby
allowing ICMP to work, but yet limiting the damage an ICMP storm can cause.
We use a box called Bandwiz that does the QoS (been discussed here before in
the past).

-Hank