First, read this:
http://www.cisco.com/warp/public/707/newsflash.html#prevention
Then on the router you can use the ip verify unicast reverse-path interface
command. Off the top of my head, I think the PIX version is ip verify
reverse-path interface outside. The link above explains what that does &
how a DDoS attack works. You can also set embryonics on the PIX for each
static to limit the number of embryonic connections.
It's hard to stop DDoS attacks since they are multiple machines attaching to
a legitimate port simultaneously. Even these fixes will slow down service
since the CPU has to handle each packet and bandwidth is still being used
from packets coming in & being rejected. IDS may even drop to its knees
from trying to block all of the addresses at once if it were implemented.
Anybody have anything else to add?
Allen
----- Original Message -----
From: "Jaiching Chen"
To:
Sent: Thursday, June 21, 2001 11:42 AM
Subject: How to config PIX Firewall to pevent DDoS [7:9379]
> Anybody can help me :
>
> How to config PIX Firewall to pevent DDoS?
>
> Thanks a lot~
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9406&t=9379
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
