[c-nsp] Cisco way against DoS/DDos Attack?
Saku Ytti
saku+cisco-nsp at ytti.fi
Wed Jan 3 06:31:43 EST 2007
On (2007-01-03 08:37 +0000), Monty Ree wrote:
> So, is there any cisco method against DDoS attack which send large
> traffic(bps,pps) like above?
1)
Use netflow to find src/dst of attack, run netflow in all AS borders.
2)
Implement RPF/Loose in all AS borders (this is cisco spesific, with
junos you need something called 'flow routes'.
Choose some real address you have as your blackhole, eg. 42.42.42.42/32,
null route this everywhere, at least in every AS border.
On one or more boxes use redistribute static route-map STATIC-TO-BGP
to redistribute blackhole routes to BGP, eg. 'match tag 666, set community
42:666, set ip next-hp 42.42.42.42'
If you run next-hop-self in every router, you're going to need route-map
towards RR's also in the boxes that source blackholes, to reset next-hop if
community 42:666, this will supersede next-hop-self.
If you're going to allow customers to blackhole, you should disable
connected-check or run ebgp-multihop.
3)
either null route sources:
ip route 1.2.3.4 255.255.255.255 null0 tag 666
ip route 6.3.3.4 255.255.255.255 null0 tag 666
or destination:
ip route 5.5.5.5 255.255.255.255 null0 tag 666
This should apply to all attacks not targeted to your infrastructure,
your infrastructure should be protected in AS borders with ACL + Policer.
Eg. allow ICMP + UDP high ports towawrds your core loop0 and
point-to-point, and police them to acceptable rate.
If your customer facing links aren't from manageable block, and you
can't protect them in iACL, stop advertising the PE side of the link:
int customerfacing
ip addreess 2.2.4.0 255.255.255.254
!
ip route 2.2.4.1 255.255.255.255 customerfacing tag advertise-me-in-ibgp
Assuming CPE side needs to be advertised (NAT evilness or similiar)
Use CoPP to protect your infrastructre from attacks inside your AS#.
This way your infrastructure should be very well protected, without
needing huge redesign even in poorly planned/non-organicly grown
network (M&A's tend to be bad in terms of network entropy:)
I wouldn't use any microflow policer or alike unless in the utmost
simplest networks.
If your business-case is keeping certain service running, even though
it gets DoS, you might want to buy some of the sponging solutions.
Further plans might be, that you implement QoS throughout core, and
drop all AS external traffic in case of congestion, kinda like
drop eligibility bit. This might not make sense for your products,
but if main products do not heavily depend on well performing
internet connectivty (eg. VPN or email), it might make sense.
> If I have been attacked, I would be do below..
>
> 1st. find source & dst ip which related attack and null routing.
> # ip route 1.1.1.1 255.255.255.255 Null 0
>
> 2nd. filter source ip using access-list
>
> 3nd. rate-limit per ip
> ex) rate-limit input access-group 150 2000000 250000 250000 conform-action
> transmit exceed-action drop
>
> 4nd. ????
>
> If DDoS was attacked, filtering all source ips would not the right answer.
> and firewall would't defense because of large traffic.
>
> So is ther any good method or documentation or new technology against DDos
> Attack using cisco?
>
> My network equipment is GSR(12008) and 6509sup2.
>
>
> Thanks for your time..
>
> _________________________________________________________________
> Áö±Ý °¡±îÀÌ ÀÖŽÂ œÌ±ÛµéÀ» ãŸÆ ºžŒŒ¿ä!
> http://match.kr.msn.com/channel/index.aspx?trackingid=1002127
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
++ytti
More information about the cisco-nsp
mailing list