Re: [nsp] effect of ACL on cisco 7500 routers

From: Hank Nussbacher (hank@att.net.il)
Date: Thu May 02 2002 - 04:44:00 EDT


At 01:27 PM 01-05-02 -0700, SMALL, LARS *Internet* (PBI) wrote:
>Hello:
>
>recently I have been investigating the merits of a policy our company (an
>ISP) has with regard to DoS attacks. Specifically, when our customers are
>under attack, unless it is adversely effecting our network, we do not
>intervene. Is there any merit to this Policy? What are the concerns (
>besides the added administrative burden) over ACLs applied to a T1 p-t-p
>customer interfaces (channelized DS3) or T1 frame-relay customer (point to
>multipoint framed DS3) or ATM customers of various bandwidths riding ATM
>0C3?

<opinion>
ACLs have been a good tool for the past number of years to stop DOS attacks
but they suffer one very bad feature - they throw away the good packets
along with the bad packets. Consider Amazon being hit with a DOS attack
from random spoofed IPs to their web site. You can't block on source IP
since it is random. If you block on destination IP - you end up taking
Amazon off the network (the ultimate aim of the attacker) at a daily
revenue loss of over $1M.

Therefore, the solutions in the future will be mechanisms that can filter
and sieve the bad packets out and let the good packets thru.
</opinion>

Disclosure: I consult to an anti-DDOS company with this philosophy.

Hank
Consultant
Riverhead Networks (formerly Wanwall Networks)
www.riverhead.com



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:43 EDT