[Fwd: [nsp] border configs]

joshua sahala jejs at sahala.org
Thu Mar 11 17:38:42 EST 2004


On (11/03/04 04:47), Benjie Ko wrote:
> 
> log close to 600k packets on a single second (if im reading the
> log correctly) Here is the log. 

i personally don't like logging on my internet facing interfaces...too
much noise for my log analyzer to sift, added load on the router, etc

> This was applied on our router's interface . I believe
> it should have also been applied to the interface of
> our upstream 

i think it would depend on whether the traffic was directed at, or at a
customer of your, and whether or not your router held up to the load.
if my routers could handle the load (and my normal traffic was able to
get through), i usually didn't call my upstream, except as maybe an fyi,
but if my performance started suffering, then i had to have them do it
on a bigger router with a bigger upstream pipe...

> Im curious to know what configs you have to minimize
> any DOS attacks on your network, 
> (http://www.cymru.com/Documents/index.html) 

i use or have used many of the suggestions put forth in that document or
the secure junos template with good success.  
in general i:

rate-limit udp, syn, and icmp - the limits are based upon my knowledge
of my network and the traffic therein, do not apply limits wantonly

drop/null route traffic from/to bogon networks - done with an acl and/or
uRPF (strict on my customer interfaces, loose on my upstream providers)
- again, do not apply without knowledge of what you are doing, and why

null route/acl unused address space within my network

acl unused services within my network - ie, if i don't have any webservers,
i don't permit incoming port 80

i also listen on a lot of maililng lists to current events, and will
occassionally modify an access-list if there is some major exploit or
worm, and there hasn't been time to patch or i am trying to help stop
the spread (a la actions taken against slammer, not that we were able to
do much before it had spread worldwide...).  i pay careful attention to
how i design my network, and know what my traffic patterns are supposed
to look like and i set my nms to alert on those thresholds, i monitor my
logs, analyze traffic (netflow), etc, etc

hth

/joshua

-- 
Fixing Unix is easier than living with NT.
	Jonathan Gilpin


More information about the cisco-nsp mailing list