[c-nsp] Dropping traffic based on source address

Barry Greene (bgreene) bgreene at cisco.com
Sun Jul 3 00:01:55 EDT 2005 

As mentioned, uRPF Loose Check was created to manage these sorts of
issues. The passive drops of bogons was a secondary consideration.

Other tools to look at:

QPPB - where you use BGP to market the community, then rate-limit based
on the source address to a extremely low limit. 

DSB - Equivalent to QPPB on a 6500/7600 with a Sup2 or Sup720 on a OSM
card.

BGP Policy Accounting - can be used with uRPF Loose Check and/or QPPB to
provide visibility into the problem. Using the same BGP community marker
you can count the volume of the problem and then poll via SNMP.

I've attached a list of links that has materials that migh be useful.
Some key ones to look at are:

ftp://ftp-eng.cisco.com/cons/isp/security/CPN-Summit-2004/Paris-Sept-04/

SE04-DEPLOYING-SERVICE-PROVIDER-SECURITY-TECHNIQUES-10208_08_2004_X1_SE0
4-v2.pdf
SE12-NEXT-GENERATION-PEERING-AND-INTERCONNECTION-ARCHITECTURES-10120_08_
2004_c1_SE12.pdf

As mentioned getting a one of the freeware based Unix/BGP
implementations would make the best "trigger router." This allows you to
build scripts to trigger which prefixes are Null0ed or marked with a
community. Connecting it as a route reflector client works A-OK. 

Let me know if you have any questions.
 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brad Gould
> Sent: Thursday, June 30, 2005 7:17 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Dropping traffic based on source address
> 
> Hi!
> 
> We have a (large) list of spamming evil hosts/networks we 
> would like block from our mail servers. (~500k entries)
> 
> The list is being imported into the routing table via bgp, 
> and we can drop the return path traffic, using PBR.  But the 
> initial syn traffic is getting through to the servers.
> 
> I'd like to drop the inbound traffic, based on its source 
> address, but I cant construct a sensible ACL - there are too 
> many entries (around 500k).
> 
> But can I match based on known routes in the routing table, 
> and apply that on the way into the network?
> 
> Any ideas?
> 
> Thanks
> 
> Brad
> 
> --
> Brad Gould, Network Engineer
> Internode
> PO Box 284, Rundle Mall 5000
> Level 3, 132 Grenfell Street, Adelaide 5000
> P: 08 8228 2999  F: 08 8235 6999
> bradley at internode.com.au; http://www.internode.on.net/ 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: SP Security Links.txt
Url: https://puck.nether.net/pipermail/cisco-nsp/attachments/20050703/f4c6a4d2/SPSecurityLinks.txt

More information about the cisco-nsp mailing list