It's not that I don't want to protect my customers. But, most of them
are ISPs, who are doing web hosting and the like. They find out that a
warez ftp site is on their network, most likely consuming a ton of
bandwidth, and to protect themselves, they boot the guy. Usually, warez
guys have methods to retaliate. Jeez, anyone with a web browser and a C
compiler can launch a land.c attack! I am very willing to help my
customers, but there is a tradeoff in terms of what it costs me. If it
is a good customer, or more importantly, a big one, then I will write a
200 line access list, no problem! But say I implement this type of
service for a few customers, and word spreads that we are doing it, then
everyone wants that type of service. How many of you out there have 50,
60, 80 + extended access lists on your border routers? What if I go
over 99? Get IOS 11.2?
This has been my point all along. creating an access list and applying
it to a BGP distribute list on my outbound advertisements solves the
attack problem, but that is useless because the customer cannot get out
to the Internet( cannot be reached from, actually). NetFlow is a viable
tracking tool, however, I still need help from my peers. Say it comes
from one ISP, who delivers it to, say, MAE-West, where it is picked up
and carried over to MAE-East, picked up again and dropped of over here.
Tha is four providers, four NOCs to tassle with, to catch an attack that
lasts usually no more than an hour.
I suppose my biggest question was this. Has anyone got themselves into
a hole by providing ICMP filtering on their routers to protect
downstream customers, be it in terms of manageability, processor
overhead, packet discarding. Also, where is the best place to do this,
ingress, egress, or a combination? Do buffers need to be increased?
What about queueing strategy? How does NetFlow affect access-list
processing? I know these questions may be best answered by Cisco, but I
want some real answers, from real people in the field. No offense to
any Cisco employees, but you do have a company bias, just as we all do.
Guys, thanks for all of the replies. You've all been a great help!!!!
Jain Depak wrote
Why not just filter all ping traffic to his T1 until the attack
Christian Martin replied
That is what I am going to do. But with over 100 downstream customers,
and IOS 11.1 (sans named access lists) I don't want to start a
You don't want to start a precedent of protecting customers from DoS