[nsp] BGP sessions drop during DOS and general DOS protections.

Rob Thomas robt at cymru.com
Tue Jul 22 01:12:23 EDT 2003


Hi, Christopher.

] Have you seen a DOS attack come through one of your BGP peers that
] bounced your BGP session?

Several times.  It's all about saturation.  If the router can no
longer handle the interrupts, or the pipe is full, BGP keepalives
will not make it and the peering session will reset.  You can tune
the BGP timers to increase the tolerance for such things, but this
is done at the cost of longer outages when other events (e.g. link
failure, "routine" peer failure) occur.  There are always these
pesky trade-offs.  :)

router bgp 65330
 timers bgp <X> <Y>

Where <X> is frequency, in seconds, at which the router sends
keepalives, and <Y> is the interval, in seconds, after not
receiving a keepalive that the peering session is closed
(considered dead).  The defaults are 60 seconds and 180 seconds,
respectively.

I recommend filtering traffic to the router, particularly traffic
to the VTY ports and TCP 179.  I have some of this in the Secure
IOS and Secure BGP Templates.

   <http://www.cymru.com/Documents/secure-ios-template.html>
   <http://www.cymru.com/Documents/secure-bgp-template.html>

Avoid TCP Intercept at all costs.  TCP Intercept is a SYN proxy,
and it significantly impacts the ability of the router to handle
traffic.  It sends the traffic through the slow path (process
switched) of the router.  The end result is that the DoS attack
is more successful more quickly.  :|

Thanks,
Rob.
-- 
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);




More information about the cisco-nsp mailing list