> Well yes, but it's near impossible for packet filters (routers) to
> block TCP flood attacks going to random ports in the range 1024-65535
> that do not have the SYN flag set.
This would be ICMP we are talking about -- no SYN flag.
> These packets would certainly be denied by your fullblown firewall,
> but, as you earlier pointed out, at that point the damage is already
> done to your narrow pipe.
Which is why I would like my upstream provider to prevent more than, say,
30k of ICMP traffic from entering my network at any one time, regardless
of whether they are responses or not.
Dave
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
