Re: [j-nsp] [j-nsp] (d)DoS handling

From: Leigh Porter (lporter@cw.net)
Date: Sat Apr 07 2001 - 08:53:09 EDT


On Friday 06 April 2001 21:46, Rubens Kuhl Jr. wrote:

Last time I tried TCP Intercept it broke quite quickly on high load sites :-(

--
Leigh

> The description reminded me of "TCP Intercept"... (SYN/ACK replying and > late forwarding of SYN+ACK). JunOS doesn't seem to have it, high-end IOS > doesn't either. > > To me, such a feature doesn't belong to router-land, but to > multilayer-switch-land. On router-land, unicast-RPF is something that JunOS > is lacking. > > > > Rubens Kuhl Jr. > > > > -----Original Message----- > From: Dmitri Kalintsev [mailto:dek@hades.uz] > Sent: Thursday, April 05, 2001 10:27 PM > To: juniper-nsp@puck.nether.net > Subject: [j-nsp] (d)DoS handling > > > I've heard rumors that JunOS has some sort of knobs for handling (d)DoS, > such as packet floods with spoofed source, etc (we all know them all too > well). Is there such thing, and if there is then what IS it and how exactly > it works? > > (I am well aware that currently nothing radical can be done to prevent > those, besides constant customer and provider education about usefulness of > source address forging prevention techniques and dropping IP space under > attack from global BGP tables, when it is possible. *yech*). > > Thanks, > -- > CCNP, CCDP (R&S) Dmitri E. Kalintsev > CDPlayer@irc Network Architect @ connect.com.au > dek @ connect.com.au phone: +61 39 674 3913 fax: 251 3666 > http://-UNAVAIL- UIN:7150410 cell: +61 41 335 1634



This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:42 EDT