[c-nsp] Shunning Traffic on ASA's
Roland Dobbins
rdobbins at cisco.com
Mon Feb 11 09:54:04 EST 2008
On Feb 11, 2008, at 9:16 PM, Christian Koch wrote:
> IS there any reasons NOT to use it?
If you're talking about automagic shunning, it's important to note
that any kind of dynamic shunning mechanism can potentially be
manipulated by attackers in order to cause a DDoS of legitimate
traffic. I would suggest planning carefully and thinking through
various scenarios prior to deployment of an automagic shunning setup.
Note that with ASA and PIX, you can manually shun connections as the
need arises, then yank them out once the need has gone away.
I would strongly suggest looking into S/RTBH as a potentially more
scalable mechanism at the various edges of your network, prior to
traffic reaching the firewall(s) in the first place.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // +66.83.266.6344 mobile
If you don't know what to do, it's harder to do it.
-- Malcom Forbes
More information about the cisco-nsp
mailing list