[Fwd: [nsp] border configs]
Brian Turnbow
b.turnbow at twt.it
Fri Mar 12 02:59:17 EST 2004
Take a look at this. It talks about "shunting" instead of blackholing.
Basically you route the attack through
a filtering device to let good traffic pass to your customer instead of
dropping it all,
if your links can handle it that is.
http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-eof-fischbach
.pdf
ciao
Brian
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Benjie Ko
Sent: venerdi 12 marzo 2004 2.47
To: james
Cc: cisco-nsp at puck.nether.net
Subject: Re: [Fwd: [nsp] border configs]
Yes, been running flow collector
(cflowd+Flowscan+CUFlow) for quite some time now.
Thanks for all your suggestions and replies. Will
follow your advise on ACLs and null routing. Thanks.
--- james <hackerwacker at cybermesa.com> wrote:
> Along with the excellent things Joshua mentioned I
> would add
> using net-flows and being able to log this info and
> process it in
> some way. The worst time to figure out what your
> networks
> normal traffic patterns look like is during a DDoS.
> Having long term
> info in some format will clue you into what normal
> is & how
> different your present traffic is flowing.
>
> Look for opportunities to use null routing instead
> of ACL's to control
> problems. ACL's cause packets to use slower
> switching methods,
> while null routing will be switched faster.
>
> If there is an Ethernet "choke point" on your
> network where all or
> most traffic coming in from the Internet must pass
> consider using a
> mirror port to a *nix box where you can run TCPDump.
>
>
> James Edwards
> Routing and Security
> jamesh at cybermesa.com
> At the Santa Fe Office: Internet at Cyber Mesa
> Store hours: 9-6 Monday through Friday
> 505-988-9200 SIP:1(747)669-1965
>
__________________________________
Do you Yahoo!?
Yahoo! Search - Find what youre looking for faster
http://search.yahoo.com
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list