.-. /v\ L I N U X // \\ >Phear the Penguin< /( )\ ^^-^^ Ed <scotte@inthea To: "suse-security@suse.com" <suse-security@suse.com> irnet.com> cc: Subject: RE: [suse-security] IPSec system design questions (slightly OT) 30.06.2001 06:21 <snip> The system will be immune to DoS attacks. </snip> There's no such thing as a system that is immune to DoS attacks. Even when some links are definatley "fat pipes", and some ISPs "just add another T1" if you experience a flood... Someone will have *far more* bandwidth available than you or your ISP can ever dream of. Imagine someone roots eight sites, each connected at 622Mbps. This makes up 4976mbps of total bandwidth available, for the attacker. I think this amount of bandwidth exceeds the total bandwidth available for some entire countries. And that is not a worst-case scenario, since a DDoS attack with 8 sites would be considered a minor attack, and could probably even be filtered by some rather large top tier ISPs (if no spoofing is involved). Large attacks can involve hunderds, even thousands of traffic sources, whereas it is impossible to block them all, even for top tier ISPs. And blocking is only feasible, if the blocking party can cope with the amount of traffic being sent to it. Example: if my ISP has a total bandwidth of 34mbps available, but some attacker constantly sends traffic at a rate of 100mbps, then my ISP will not be able to withstand the attack and it will be taken offline, because it's links will be saturated after about 1/3 of a second. And as said, if the attacker chooses to spoof the source addresses of theyr traffic, blocking would be impossible at all .The only thing the ISP can do then is, remove your route from the internet. And that's just the same as being DoSed, if you think about it. Cheers & Correct me if Im wrong Chr. Burri