[c-nsp] cisco 7500 UDP attack
Rubens Kuhl Jr.
rubensk at gmail.com
Thu Sep 21 09:00:50 EDT 2006
> Nope i dont use logs, i have very powerful system for processing netflow
If just plain ACLs without log are making your 7500 unresponsive, but
it can cope with the packets if it doesn't ACL them, you should
consider inserting something else to filter the packets.
One inexpensive solution is a Linux box configured with as a bridging
firewall with no conntrack. PCs of 1 GHz or faster are cheap, and it
could be just a mitigation resource activated by switch configuration
(changing the 7500 VLAN on the switch, for instance, so it wouldn't be
a single point of failure on normal operations).
> i was intrested if cisco has developed something to break Dos attack or you
> folks using something to fight with Dos attacks because these things are a
> continous pain in neck, all the time you are at risk any time it can be
Cisco has Traffic Anomaly Detector and Guard; also deployed around you
can find Arbor PeakFlow and Radware DefensePro. The great thing about
them is their detection capabilities, so will know there is an attack
going on before the phone rings. Some products/scenarios can also
suggest mitigation measures, or implement them.
> started and in some cases you just sit and watch how they are screwing your
> internet bandwith even if u block them at core routers.
On that point, you will need cooperation of your upstreams to block
the traffic. Either automatically by black-hole-routing or by calling
them on the phone.
Rubens
More information about the cisco-nsp
mailing list