[c-nsp] Modern BGP peering border router and DDoS
attackdefenserecommendations?
Rodney Dunn
rodunn at cisco.com
Mon Jun 20 11:00:30 EDT 2005
Sorry for the late reply...
On Tue, Jun 14, 2005 at 11:16:59AM -0600, james edwards wrote:
> >
> > Can you elaborate?
> >
> > ie: What hardware did they use?
> > How did they try to mitigate the attack?
>
>
> 75xx. The route-map used to drop 92 byte ICMP (for Nachi) also dropped 92
> byte TCP, at least on the 75xx.
> Through providers TAC case Cisco insisted we were seeing application
> problems. It was left to me to debug
> this issue for the provider (and Cisco). This lasted a month & we lost many
> customers. Does anyone actually test
> these recommended mitigations ?
Yes. Clearly we missed a spot in the test. Shame on us.
> This was a huge loss of customers and a
> large amount OT to solve our providers
> problem (and Cisco's). Sweeps of TCP packets around the 92 byte size clearly
> demonstrated the problem.
>
> ACL's used to mitigate problems caused my traffic to drop to zero at approx
> 1 min. intervals, on a DS3 that at the slowest part of the day ran at 15
> megs/sec. ACL were useless, do to this problem, so I quit asking this
> provider for help. We then obtained transit DS3's from providers with
> Junipers and have been very happy with their ability to match and discard at
> any rate.
A 75xx isn't the box that should be used for high speed ACL's.
I wouldn't advise that to any SP looking to provide their customers
with high speed ACL or blackholing services.
I'll leave it at that.
>
> My network consists of 7206XVR's, NPE300's and 400's. I have controlled
> small DDoS'es (20k-30k pps) with null routes
> and uRPF, after removing all ACL's. From my lab tests things start getting
> bad at ~ 1 order higher.
>
> Based on some posts on this list it seems the G1 is not much better in its
> abilities to withstand DDoS/DoS.
>
> Sorry this took so long, I have been out sick.
>
> James H. Edwards
> Routing and Security Administrator
> At the Santa Fe Office: Internet at Cyber Mesa
> jamesh at cybermesa.com noc at cybermesa.com
> http://www.cybermesa.com/ContactCM
> (505) 795-7101
More information about the cisco-nsp
mailing list