[AusNOG] network security Question
Luke Iggleden
luke+ausnog at sisgroup.com.au
Wed May 21 10:41:04 EST 2014
Rate limiting router control planes is definitely required though if
your links are big enough to kill your control plane cpu.
I think police 5Mbit/s of ICMP to a border router control plane is
acceptable.
--
Luke Iggleden
On 21/05/2014 10:21 am, Chris Chaundy wrote:
> If you are getting flooded with icmp, blocking/rate-limiting at your
> border is pretty well pointless as the damage is already done - your
> link is toast and the attackers don't give a damn about replies.
>
> And talking about DNS, don't even get started on NTP!!! SIgh...
>
>
> On Wed, May 21, 2014 at 10:15 AM, Joshua D'Alton <joshua at railgun.com.au
> <mailto:joshua at railgun.com.au>> wrote:
>
> Some places do this, Linode I believe in some locations (or perhaps
> their carriers/DCs?), just have to remember said hop (XYZ router(s)
> will always have some loss (usually 30%, its consistent). And what
> level, well presumably layer 3 ACLs?
>
>
> On Wed, May 21, 2014 at 10:08 AM, Alex Samad - Yieldbroker
> <Alex.Samad at yieldbroker.com <mailto:Alex.Samad at yieldbroker.com>> wrote:
>
> With the icmp, I was more thinking about rate limiting, all nice
> to allow it through, but I also rate limit. Haven't got any
> shaping on, but I would be de prioritising a lot of icmp
>
> Just wondering what sort of level do (if they do) rate limit icmp to
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
More information about the AusNOG
mailing list