[c-nsp] Anyone who have set PBR against worm or dos?

rendo r3nd0 at yahoo.com
Fri Feb 23 01:55:21 EST 2007 

Just to share my experience, i have used pbr to re-route worm traffic to
null0 interface since few years ago, and personally, i  prefer to use pbr
rather than acl.

I put pbr on catalyst 6500, the cpu load is much much lower than using
access list.

I don't know any other method to block worm traffic, so because pbr is
consuming much lower cpu than acl, i'm still using it until now.

-rendo-



On 2/23/07, rendo <rendo.aw at gmail.com> wrote:
>
>
> Just to share my experience, i have used pbr to re-route worm traffic to
> null0 interface since few years ago, and personally, i  prefer to use pbr
> rather than acl.
>
> I put pbr on catalyst 6500, the cpu load is much much lower than using
> access list.
>
> I don't know any other method to block worm traffic, so because pbr is
> consuming much lower cpu than acl, i'm still using it until now.
>
> -rendo-
>
>  On 2/23/07, Monty Ree <chulmin2 at hotmail.com> wrote:
>
> > Hello list.
> >
> > I have saw some cisco security documents against worm attack.
> > It was named PBR and it would be great against worm or dos attack.
> > because most packet size of the worms and dos attacks are same size.
> >
> > But I'm afraid that it cause lots of cpu load at my system or not.
> > So is there anyone who have done PBR at your cisco equipment?
> > My systems are C6509sup2 and C6509sup720 and the normal traffic is over
> > 6-7G bps.
> >
> > The link which I saw is below.
> > http://archives.neohapsis.com/archives/cisco/2003-q3/0010.html
> >
> > ----------------  example ---------------------------------
> > access-list 199 permit icmp any any echo
> > access-list 199 permit icmp any any echo-reply
> >
> > route-map nachi-worm permit 10
> >      ! --- match ICMP echo requests and replies (type 0 & 8)
> >      match ip address 199
> >
> >      ! --- match 92 bytes sized packets
> >      match length 92 92
> >
> >      ! --- drop the packet
> >      set interface Null0
> >
> >
> >    interface <incoming-interface>
> >      ! --- it is recommended to disable unreachables
> >      no ip unreachables
> >
> >      ! --- if not using CEF, enabling ip route-cache flow is recommended
> >      ip route-cache policy
> >
> >      ! --- apply Policy Based Routing to the interface
> >      ip policy route-map nachi-worm
> >
> >
> > Thanks for your time.
> >
> > _________________________________________________________________
> > 보다 빠른 소식, 보다 빠른 정보, MSN 뉴스에서 확인하세요.
> > http://news.msn.co.kr/
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>

More information about the cisco-nsp mailing list