[c-nsp] Surviving denial of service from certain IPs
Mario Spinthiras
spinthiras.mario at gmail.com
Fri Jul 25 05:20:50 EDT 2008
Greetings to everyone,
I recently looked into the minimal resource usage of a Cisco router in the
case of a denial of service attack. In such cases what is the minimal
configuration one can apply to a router to make sure that a certain range of
IPs attacking you keeps the router alive and uses much less resources. Two
things I came up with (one of which everyone probably does on a normal
basis) is access lists and another would be a route-map to point all
unwanted sources to null0. Would a route-map hurt the router less than an
access list plain out ? What I'm referring to is basically PBR pointing
matches to null0. An example configuration would be:
!
interface FastEthernet0/0
ip policy route-map unwanted
!
!
ip access-list extended unwacl
deny ip any any
permit ip 192.168.1.0 0.0.0.255 any
!
!
route-map unwanted permit 10
match ip address unwacl
set default interface Null0
!
Is this more optimal than a plain old access list? Is this used in any way?
Regards,
Mario
More information about the cisco-nsp
mailing list