SYN flood messages flooding my mailbox

*** Resending note of 09/23/96 18:38
Subject: Re: SYN flood messages flooding my mailbox
>Not. Every entry in the filter contains the following data:

> [Prefix] [Prefix Length] [Bitmask]

>where bitmask has a bit per every interfaces, so the bit if set if
>packet matching the prefix is allowed from that interface.

How do you handle the case of an inter-exchange point, with multiple
BGP neighbors per interface? The MAE-East NAP is the worst case
(and not everyone at a NAP is a "transit AS").

If you tried to handle the case of an IXP, wouldn't you have to
filter based on both interface and MAC address?

-- Richard Woundy, IBM

I'm starting to think that MAC-address-filtering ability would be
a VERY useful addition for this sort of thing, esp. if it could be
written as:

access 200 deny ip any host src-mac 0000.1111.2222
access 200 permit ip any any

I think this isn't very possible given the IOS architecture;
hopefully I'm wrong.