[c-nsp] Modern BGP peering border router and DDoS attackdefenserecommendations?

james edwards hackerwacker at cybermesa.com
Tue Jun 14 13:16:59 EDT 2005


>
> Can you elaborate?
>
> ie: What hardware did they use?
>     How did they try to mitigate the attack?


75xx. The route-map used to drop 92 byte ICMP (for Nachi) also dropped 92
byte TCP, at least on the 75xx.
Through providers TAC case Cisco insisted we were seeing application
problems. It was left to me to debug
this issue for the provider (and Cisco). This lasted a month & we lost many
customers. Does anyone actually test
these recommended mitigations ?  This was a huge loss of customers and a
large amount OT to solve our providers
problem (and Cisco's). Sweeps of TCP packets around the 92 byte size clearly
demonstrated the problem.

ACL's used to mitigate problems caused my traffic to drop to zero at approx
1 min. intervals, on a DS3 that at the slowest part of the day ran at 15
megs/sec. ACL were useless, do to this problem, so I quit asking this
provider for help. We then obtained transit DS3's from providers with
Junipers and have been very happy with their ability to match and discard at
any rate.

My network consists of 7206XVR's, NPE300's and 400's. I have controlled
small DDoS'es (20k-30k pps) with null routes
and uRPF, after removing all ACL's.  From my lab tests things start getting
bad at ~ 1 order higher.

Based on some posts on this list it seems the G1 is not much better in its
abilities to withstand DDoS/DoS.

Sorry this took so long, I have been out sick.

James H. Edwards
Routing and Security Administrator
At the Santa Fe Office: Internet at Cyber Mesa
jamesh at cybermesa.com  noc at cybermesa.com
http://www.cybermesa.com/ContactCM
(505) 795-7101




More information about the cisco-nsp mailing list