[c-nsp] Cisco way against DoS/DDos Attack?
Jeff Tantsura
jeff.tantsura at sscplus.nl
Wed Jan 3 07:51:35 EST 2007
Hi,
All you need to configure (Loose) RPF with junos is:
set forwarding-table unicast-reverse-path active paths /feasible-paths
set rpf-check (mode loose) (per interface)
Jeff
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti
Sent: Wednesday, January 03, 2007 3:32 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco way against DoS/DDos Attack?
On (2007-01-03 08:37 +0000), Monty Ree wrote:
> So, is there any cisco method against DDoS attack which send large
> traffic(bps,pps) like above?
1)
Use netflow to find src/dst of attack, run netflow in all AS borders.
2)
Implement RPF/Loose in all AS borders (this is cisco spesific, with
junos you need something called 'flow routes'.
Choose some real address you have as your blackhole, eg. 42.42.42.42/32,
null route this everywhere, at least in every AS border.
On one or more boxes use redistribute static route-map STATIC-TO-BGP
to redistribute blackhole routes to BGP, eg. 'match tag 666, set community
42:666, set ip next-hp 42.42.42.42'
If you run next-hop-self in every router, you're going to need route-map
towards RR's also in the boxes that source blackholes, to reset next-hop if
community 42:666, this will supersede next-hop-self.
If you're going to allow customers to blackhole, you should disable
connected-check or run ebgp-multihop.
3)
either null route sources:
ip route 1.2.3.4 255.255.255.255 null0 tag 666
ip route 6.3.3.4 255.255.255.255 null0 tag 666
or destination:
ip route 5.5.5.5 255.255.255.255 null0 tag 666
This should apply to all attacks not targeted to your infrastructure,
your infrastructure should be protected in AS borders with ACL + Policer.
Eg. allow ICMP + UDP high ports towawrds your core loop0 and
point-to-point, and police them to acceptable rate.
If your customer facing links aren't from manageable block, and you
can't protect them in iACL, stop advertising the PE side of the link:
int customerfacing
ip addreess 2.2.4.0 255.255.255.254
!
ip route 2.2.4.1 255.255.255.255 customerfacing tag advertise-me-in-ibgp
Assuming CPE side needs to be advertised (NAT evilness or similiar)
Use CoPP to protect your infrastructre from attacks inside your AS#.
This way your infrastructure should be very well protected, without
needing huge redesign even in poorly planned/non-organicly grown
network (M&A's tend to be bad in terms of network entropy:)
I wouldn't use any microflow policer or alike unless in the utmost
simplest networks.
If your business-case is keeping certain service running, even though
it gets DoS, you might want to buy some of the sponging solutions.
Further plans might be, that you implement QoS throughout core, and
drop all AS external traffic in case of congestion, kinda like
drop eligibility bit. This might not make sense for your products,
but if main products do not heavily depend on well performing
internet connectivty (eg. VPN or email), it might make sense.
> If I have been attacked, I would be do below..
>
> 1st. find source & dst ip which related attack and null routing.
> # ip route 1.1.1.1 255.255.255.255 Null 0
>
> 2nd. filter source ip using access-list
>
> 3nd. rate-limit per ip
> ex) rate-limit input access-group 150 2000000 250000 250000 conform-action
> transmit exceed-action drop
>
> 4nd. ????
>
> If DDoS was attacked, filtering all source ips would not the right answer.
> and firewall would't defense because of large traffic.
>
> So is ther any good method or documentation or new technology against DDos
> Attack using cisco?
>
> My network equipment is GSR(12008) and 6509sup2.
>
>
> Thanks for your time..
>
> _________________________________________________________________
> Áö±Ý °¡±îÀÌ ÀÖŽÂ œÌ±ÛµéÀ» ãŸÆ ºžŒŒ¿ä!
> http://match.kr.msn.com/channel/index.aspx?trackingid=1002127
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list