[c-nsp] Dropping traffic based on source address
Tantsura, Jeff
jtantsura at ugceurope.com
Mon Jul 4 04:47:52 EDT 2005
Thank you for these invaluable links!!!!!!!!!
Jeff
-----Original Message-----
From: Barry Greene (bgreene) [mailto:bgreene at cisco.com]
Sent: 03 July 2005 06:02
To: Brad Gould; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Dropping traffic based on source address
As mentioned, uRPF Loose Check was created to manage these sorts of
issues. The passive drops of bogons was a secondary consideration.
Other tools to look at:
QPPB - where you use BGP to market the community, then rate-limit based
on the source address to a extremely low limit.
DSB - Equivalent to QPPB on a 6500/7600 with a Sup2 or Sup720 on a OSM
card.
BGP Policy Accounting - can be used with uRPF Loose Check and/or QPPB to
provide visibility into the problem. Using the same BGP community marker
you can count the volume of the problem and then poll via SNMP.
I've attached a list of links that has materials that migh be useful.
Some key ones to look at are:
ftp://ftp-eng.cisco.com/cons/isp/security/CPN-Summit-2004/Paris-Sept-04/
SE04-DEPLOYING-SERVICE-PROVIDER-SECURITY-TECHNIQUES-10208_08_2004_X1_SE0
4-v2.pdf
SE12-NEXT-GENERATION-PEERING-AND-INTERCONNECTION-ARCHITECTURES-10120_08_
2004_c1_SE12.pdf
As mentioned getting a one of the freeware based Unix/BGP
implementations would make the best "trigger router." This allows you to
build scripts to trigger which prefixes are Null0ed or marked with a
community. Connecting it as a route reflector client works A-OK.
Let me know if you have any questions.
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brad Gould
> Sent: Thursday, June 30, 2005 7:17 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Dropping traffic based on source address
>
> Hi!
>
> We have a (large) list of spamming evil hosts/networks we
> would like block from our mail servers. (~500k entries)
>
> The list is being imported into the routing table via bgp,
> and we can drop the return path traffic, using PBR. But the
> initial syn traffic is getting through to the servers.
>
> I'd like to drop the inbound traffic, based on its source
> address, but I cant construct a sensible ACL - there are too
> many entries (around 500k).
>
> But can I match based on known routes in the routing table,
> and apply that on the way into the network?
>
> Any ideas?
>
> Thanks
>
> Brad
>
> --
> Brad Gould, Network Engineer
> Internode
> PO Box 284, Rundle Mall 5000
> Level 3, 132 Grenfell Street, Adelaide 5000
> P: 08 8228 2999 F: 08 8235 6999
> bradley at internode.com.au; http://www.internode.on.net/
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list