[c-nsp] Efficient way to block spammer networks?
Jon Lewis
jlewis at lewis.org
Tue Apr 26 12:20:19 EDT 2005
On Tue, 26 Apr 2005, Niels Bakker wrote:
> ... setting yourself up for a SYN flood whenever a host in a prefix
> announced under that ASN tries to talk to a host in your network.
They'd have to be trying pretty hard (trying to open lots of connections)
for that to be an issue, and even then, what server kernels don't have
some level of synflood protection now?
> If you can, you may want to set next-hop to Null0 for prefixes with that
> ASN in the AS_path, and then run uRPF-loose on your borders to drop
> incoming packets from those networks.
Unfortunately, I don't have the luxury of any RPF on SUP2s in the 6500s we
use as transit routers.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list