[c-nsp] Cisco Guard & the detection/mitigation modules for the 6500
Jared Mauch
jared at puck.nether.net
Tue Oct 3 11:46:49 EDT 2006
On Tue, Oct 03, 2006 at 10:25:44AM -0400, Drew Weaver wrote:
> Jared,
>
> In our hosting environment we have seen 600Mbps+ sized attacks
> directed at 100Mbps ports which basically backscatters all of the
> traffic > 100Mbps back upstream to our edges and in effect (eventually)
> causes performance degredation. So it basically sounds like a who's got
> the bigger pipe scenario? The 600 cable modem zombies, or your paid for
> OC-12/Gig-E circuits? :D
Depending on what you're doing, you may want to do some rate-limits
to trim down on the traffic headed at these ports upstream.
There's rarely any reason to have more than a few megs of icmp
inside ones network. If you can set up some policers/rate-limits to dump
the icmp traffic down to something reasonable before it gets to your
customer nets, that can help.
You can also police other types of traffic based on your
typical patterns. These obviously may need to be tuned over time,
and collecting smoe aggregate data on eg: proto tcp over 6 mos
would be valuable. same goes for udp , proto 50 (ipsec) and other types
of traffic. You could even tune these further, but dropping icmp to a
sane rate is one thing to do.
> Is it a common scenario for people to sign up for circuits which
> are not used unless there is an attack? Or do people in the hosting
> environment generally just pay a lot more for bandwidth than they would
> ever need?
I've heard of people that will buy a 2nd gig-e and such just for
the deployment of stuff like the guard, cloudshield and other types
of DoS "scrubber" boxen.
> Also, does anyone know of any transit providers which (if paid
> well enough) will deploy ddos services at their end of the circuits?
I think most (large) providers have services along
these lines. You may not find it universal across all your providers
but it's something a quick query to your isp security team or sales
team may provide you with a good answer. If you're sufficently
multihomed, you may want/need to do this service internally.
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the cisco-nsp
mailing list