Sean,
What you can do is enforce policy on your AS
boundaries which:
- rate limits ICMP
- counts ICMP to detect floods, a monitoring script on
your NMS can determine when the ICMP threshold has
been exceeded and then determine the source and dest
of the bulk of that ICMP traffic, then change your
filters to discard ICMP to the host under attack while
in parallel notify the NOC of the source or
intermediary involved
- For SYN floods - there may be no way to stop them
but early warning can be achieved by counting both TCP
SYN and total TCP and when the ratio of TCP SYN to TCP
exceeds your threshold you can notify the NOC of the
incoming intfc.
When you understand the characteristics of the attacks
or probes you are trying to stop, there are some
powerful filtering and counting techniques which can
be left in place at your edges and used in conjunction
with monitoring scripts.
Thanks
Sean