[c-nsp] Surviving denial of service from certain IPs

Arie Vayner (avayner) avayner at cisco.com
Fri Jul 25 07:04:46 EDT 2008


Mario,

There is a more elegant way.
You could use loose mode uRPF on your ingress interfaces.
If you want to block a specific source prefix, you just set a route to
null0 for that prefix, and uRPF would block it in the most efficient way
possible on a Cisco router.

The generic uRPF guide:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg
_unicast_rpf_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Loose mode uRPF:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_uni
cast_rpf_loose_ps6441_TSD_Products_Configuration_Guide_Chapter.html

The command reference:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.ht
ml#wp1033222

This solution can be integrated together with Remote Triggered Black
Holing for a distributed solution using BGP communities:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642
/prod_white_paper0900aecd80313fac.pdf

Let me know if you require further info.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mario Spinthiras
Sent: Friday, July 25, 2008 12:21 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Surviving denial of service from certain IPs

Greetings to everyone,


I recently looked into the minimal resource usage of a Cisco router in
the case of a denial of service attack. In such cases what is the
minimal configuration one can apply to a router to make sure that a
certain range of IPs attacking you keeps the router alive and uses much
less resources. Two things I came up with (one of which everyone
probably does on a normal
basis) is access lists and another would be a route-map to point all
unwanted sources to null0. Would a route-map hurt the router less than
an access list plain out ? What I'm referring to is basically PBR
pointing matches to null0. An example configuration would be:

!
interface FastEthernet0/0
ip policy route-map unwanted
!
!
ip access-list extended unwacl
 deny   ip any any
 permit ip 192.168.1.0 0.0.0.255 any
!
!
route-map unwanted permit 10
 match ip address unwacl
 set default interface Null0
!



Is this more optimal than a plain old access list? Is this used in any
way?


Regards,
Mario
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list