[c-nsp] Cisco way against DoS/DDos Attack?

Saku Ytti saku+cisco-nsp at ytti.fi
Wed Jan 3 11:05:15 EST 2007


On (2007-01-03 04:51 -0800), Jeff Tantsura wrote:

> All you need to configure (Loose) RPF with junos is:
> set forwarding-table unicast-reverse-path active paths /feasible-paths
> set rpf-check (mode loose) (per interface)

Unfortunately JNPR Loose/RPF does not fail on route pointing to null0,
so it can't be used as source based blackholing mechanism. But flow
routes can accomplish much the same effect, while arguably more
complex method.

> Jeff
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti
> Sent: Wednesday, January 03, 2007 3:32 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco way against DoS/DDos Attack?
> 
> On (2007-01-03 08:37 +0000), Monty Ree wrote:
> 
> > So, is there any cisco method against DDoS attack which send large 
> > traffic(bps,pps) like above?
> 
> 1)
> Use netflow to find src/dst of attack, run netflow in all AS borders.
> 
> 2)
> Implement RPF/Loose in all AS borders (this is cisco spesific, with
> junos you need something called 'flow routes'.
> Choose some real address you have as your blackhole, eg. 42.42.42.42/32,
> null route this everywhere, at least in every AS border.
> On one or more boxes use redistribute static route-map STATIC-TO-BGP
> to redistribute blackhole routes to BGP, eg. 'match tag 666, set community
> 42:666, set ip next-hp 42.42.42.42'
> If you run next-hop-self in every router, you're going to need route-map
> towards RR's also in the boxes that source blackholes, to reset next-hop if
> community 42:666, this will supersede next-hop-self.
> If you're going to allow customers to blackhole, you should disable
> connected-check or run ebgp-multihop.
> 
> 3)
> either null route sources:
> ip route 1.2.3.4 255.255.255.255 null0 tag 666
> ip route 6.3.3.4 255.255.255.255 null0 tag 666
> or destination:
> ip route 5.5.5.5 255.255.255.255 null0 tag 666
> 
> This should apply to all attacks not targeted to your infrastructure,
> your infrastructure should be protected in AS borders with ACL + Policer.
> Eg. allow ICMP + UDP high ports towawrds your core loop0 and
> point-to-point, and police them to acceptable rate.
> If your customer facing links aren't from manageable block, and you
> can't protect them in iACL, stop advertising the PE side of the link:
> int customerfacing
>  ip addreess 2.2.4.0 255.255.255.254
> !
> ip route 2.2.4.1 255.255.255.255 customerfacing tag advertise-me-in-ibgp
> 
> Assuming CPE side needs to be advertised (NAT evilness or similiar)
> Use CoPP to protect your infrastructre from attacks inside your AS#.
> This way your infrastructure should be very well protected, without
> needing huge redesign even in poorly planned/non-organicly grown
> network (M&A's tend to be bad in terms of network entropy:)
> 
> 
> I wouldn't use any microflow policer or alike unless in the utmost
> simplest networks.
> If your business-case is keeping certain service running, even though
> it gets DoS, you might want to buy some of the sponging solutions. 
> 
> Further plans might be, that you implement QoS throughout core, and 
> drop all AS external traffic in case of congestion, kinda like 
> drop eligibility bit. This might not make sense for your products,
> but if main products do not heavily depend on well performing
> internet connectivty (eg. VPN or email), it might make sense.
> 
> > If I have been attacked, I would be do below..
> > 
> > 1st.  find source & dst ip which related attack and null routing.
> >     # ip route 1.1.1.1 255.255.255.255 Null 0
> > 
> > 2nd. filter source ip using access-list
> > 
> > 3nd. rate-limit per ip 
> > ex) rate-limit input access-group 150 2000000 250000 250000 conform-action 
> > transmit exceed-action drop
> > 
> > 4nd. ????
> > 
> > If DDoS was attacked, filtering all source ips would not the right answer.
> > and firewall would't  defense because of large traffic. 
> > 
> > So is ther any good method or documentation or new technology against DDos 
> > Attack using cisco?
> > 
> > My network equipment is GSR(12008) and 6509sup2.
> > 
> > 
> > Thanks for your time..
> > 
> > _________________________________________________________________
> > Áö±Ý °¡±îÀÌ ÀÖŽÂ œÌ±ÛµéÀ» ãŸÆ ºžŒŒ¿ä! 
> > http://match.kr.msn.com/channel/index.aspx?trackingid=1002127 
> > 
> 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> -- 
>   ++ytti
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 

-- 
  ++ytti


More information about the cisco-nsp mailing list