on 2007-11-28 08:21 Darden, Patrick S. said the following:
> No offense, but both of you are wrong.
> Properly configured, a simple firewall
> CAN prevent most DOS attacks.

I am really confused here. I've read BCP38 (which your paper obliquely
references). I guess you mean: if I have a firewall, I can prevent DOS
attacks from *originating from my network*, as opposed to what I see as
the more popular interpretation of "help you against DOS attacks" to
mean "mitigate the damage of DOS attacks inbound on my network".

> Check out this SANS bulletin on
> "Defeating DDOS". Yes, that is my
> name in the credits. Special task
> force back in 2000. Sigh, and still
> people don't know that you can use
> a simple firewall to defeat most
> DOS attacks... as long as you are
> protecting the world from YOUR
> network.

I can do all the source filtering I want, but if I'm receiving 500 Mpps
of DDOS, my firewall's gonna keel over and die. (Maybe I'm off by 10 dB
or so...)

Any plan of action that depends on the compliance of vendors and
everyone else on the Internet is...well, I'd love the IOS command that
would allow me to configure my neighbor's router.

> --p

jerry b. altzman jbaltz@altzman.com www.jbaltz.com
thank you for contributing to the heat death of the universe.
firewall-wizards mailing list