codered/nimda blocking
Derek D. Martin
ddm at pizzashack.org
Tue Nov 6 12:58:40 EST 2001
On Tue, Nov 06, 2001 at 10:58:02AM -0500, Patrick McManus wrote:
> [Peter R. Wood: Tue, Nov 06, 2001 at 10:27:03AM -0500]
> >
> > So we contacted our ISP (Genuity) and asked them if they could set this up
> > on our routers. They refused, saying that they didn't think the routers
> > were the right place to handle this problem, and suggested we set up a
> > firewall. (Why would Cisco give their routers this capability, then?)
>
> to answer your question (why would cisco..?): nabr for CR plays a
> security role by protecting vulnerable servers from attack, but it has
> horrible efficiency properties.. since you have a performance problem,
> not a security problem, its not the right fix for you.
The only way I can see to solve the problem is to make sure the
packets don't get onto the subscriber's network; i.e. the only way to
fix this that I can see is to filter the traffic at the ISP's upstream
router. If you have a different/better solution, I'd be interested in
hearing it.
Actually it depends on the bottleneck -- if the problem is overall
bandwidth the above would be true. If the problem is only load on the
servers, and there is enough bandwidth, a firewall capable of
application-level filtering on the subscriber's network should do the
job.
--
Derek Martin ddm at pizzashack.org
---------------------------------------------
I prefer mail encrypted with PGP/GPG!
GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
Learn more about it at http://www.gnupg.org
More information about the Discuss
mailing list