On Fri, 2003-05-16 at 22:51, Nick Mathewson wrote: > So, I put your question back to you, and to the list: *are* these > defenses up to the challenge? What *other* filtering and MTA features > do current remops use to prevent abuse and DoS? We should definitely > draw on the experiences of today's operator community, and not enter the > arms race undermatched. We need untracable electronic cash to use as postage stamps. If you're using TCP, you can limit the total number of connections from a single address and throttle communications to prevent DoS from a single host. This could even be done on a /24 basis or whatever to mitigate attacks from a single LAN. DDoS is a little more difficult to prevent. It seems like it will probably always be possible to degrade service if the attacker has control of a sufficient number of hosts on different networks. I think the best thing to do is to try to degrade as gracefully as possible under high load. -- If this helped you, please take the time to rate the value of this post: <http://svcs.affero.net/rm.php?r=kg6cvv>
Attachment:
signature.asc
Description: This is a digitally signed message part