Because *All* client traffic is *forced* down the PPP tunnel (ICMP, et al), you have full control over what your customers can and cannot do. For instance, when they reach the PPP Server (Access Concentrator) - All Netbios (Windows File & Printer Sharing) can be blocked, all ICMP traffic could be blocked (if you wanted), All packets can be shaped so the customer can only transmit/receive at the alloted bandwidth, you can also block virus prolifiration ports.
True. PPP(oE) provides a virtual connection per client, which makes it a lot
easier to disable/enable accounts, do per customer/per connection bwctrl,
filtering, accounting, and makes spoofing and hijacking difficult.
If you use PPPoE, it is easy to kick an infected client off the net once discovered. But it does not solve the DoS problem (which was the original question in this thread).
Sure, the ICMP (or whatever) packets the client is spewing out are dropped when they reach the AC. But by that time the packets have already wasted bandwidth on the AP and backbone. A client PC infected with a DDoS trojan will spew packets and doesn't care whether they reach the destination or are dropped at the AC/NOC. Whether your network architecture is bridging, routing or PPPoE, the rogue client will eat the air time on the AP for breakfast.
The only way you can make sure that an infected client can't wreak havoc on the AP is to have bwctrl on the CPE.
-- LarsG
The PART-15.ORG smartBridges Discussion List
To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname>
To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges)
Archives: http://archives.part-15.org
