Home page logo

bugtraq logo Bugtraq mailing list archives

Re: DDOS Attack Mitigation
From: chris () DQC ORG (Chris Cappuccio)
Date: Tue, 15 Feb 2000 14:08:50 -0800

This is a complete lie.

All modern "terminal servers" (you know, integrated modems and dialup server
hardware) including the Cisco As5300 that you mention are fully capable of
filtering traffic based on source address with no real impact on performance.

There is absolutely no excuse for an ISP to *not* filter traffic based on
source address from one of these devices.  There is virtually no added load.

A modern AS5300 has a 150MHz R4700 CPU, which in my own experience does not
go above 10-15% load even under full use (96 modems @56K with lzs compression
turned on).  The average load is around 6%.  Now Cisco has AS5300 units that
can hold 192 modems.  Double my load figures, 30% peak and 12% standard.

How is it that people can use underpowered equipment as an excuse to avoid

Assume your equipment does not provider filtering capabilities? Use OpenBSD,
NetBSD, or whatever you prefer, and do some filtering in between.  For under
$500 USD you can put together an i386 system with decent PCI NICs (such as
Intel EtherExpress PRO/100) which can handle 35-60Mb/sec of traffic (unless
you start hitting it with tons of small packets like a massive smurf attack
or udp flood).

Say you have a T3...With a system that can handle 40Mb/sec, you could use it
to filter most all of your traffic, not just from your dialup servers.

The more filter rules you add, the slower it becomes, but this really isn't a
huge issue until you are talking about hundres of rules.  With capabilities
like head/group in IP Filter, you can make it extremely efficient.

On Tue, 15 Feb 2000, Alan Brown wrote:

 | On Sun, 13 Feb 2000, Darren Reed wrote:
 | > You know if anyone was of a mind to find someone at fault over this,
 | > I'd start pointing the finger at ISP's who haven't been doing this
 | > due to "performance reasons".
 | To be fair, if you do this on most terminal servers (eg, Cisco 5300, Max
 | 4000), they will collapse under the load.
 | >  They've had the ability to do it for
 | > years and in doing so would seriously reduce the number and possibility
 | > of "spoofing" attacks.
 | See above. Having enough CPU available to handle spoof filtering from
 | dialups adds a lot to costs and most ISPs simply can't afford to pay
 | more in order to be able to provide that benefit. :-(
 | AB

Gates' Law: Every 18 months, the speed of software halves.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]