[c-nsp] Surviving denial of service from certain IPs
Mario Spinthiras
spinthiras.mario at gmail.com
Fri Jul 25 08:31:04 EDT 2008
Arie hello and thank you for your feedback.
What I want to know is how would route-map methods effectively help stop
such attacks and what the resource usage comparison is when putting ACLs and
other methods on the scale. uRPF is all very nice but what about something
along the lines of a 100 Mbps stub network?
Regards,
Mario
On Fri, Jul 25, 2008 at 2:04 PM, Arie Vayner (avayner) <avayner at cisco.com>wrote:
> Mario,
>
> There is a more elegant way.
> You could use loose mode uRPF on your ingress interfaces.
> If you want to block a specific source prefix, you just set a route to
> null0 for that prefix, and uRPF would block it in the most efficient way
> possible on a Cisco router.
>
> The generic uRPF guide:
> http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg
> _unicast_rpf_ps6441_TSD_Products_Configuration_Guide_Chapter.html<http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_unicast_rpf_ps6441_TSD_Products_Configuration_Guide_Chapter.html>
>
> Loose mode uRPF:
> http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_uni
> cast_rpf_loose_ps6441_TSD_Products_Configuration_Guide_Chapter.html<http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_unicast_rpf_loose_ps6441_TSD_Products_Configuration_Guide_Chapter.html>
>
> The command reference:
> http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.ht
> ml#wp1033222<http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.html#wp1033222>
>
> This solution can be integrated together with Remote Triggered Black
> Holing for a distributed solution using BGP communities:
> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642
> /prod_white_paper0900aecd80313fac.pdf<http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd80313fac.pdf>
>
> Let me know if you require further info.
>
> Arie
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mario Spinthiras
> Sent: Friday, July 25, 2008 12:21 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Surviving denial of service from certain IPs
>
> Greetings to everyone,
>
>
> I recently looked into the minimal resource usage of a Cisco router in
> the case of a denial of service attack. In such cases what is the
> minimal configuration one can apply to a router to make sure that a
> certain range of IPs attacking you keeps the router alive and uses much
> less resources. Two things I came up with (one of which everyone
> probably does on a normal
> basis) is access lists and another would be a route-map to point all
> unwanted sources to null0. Would a route-map hurt the router less than
> an access list plain out ? What I'm referring to is basically PBR
> pointing matches to null0. An example configuration would be:
>
> !
> interface FastEthernet0/0
> ip policy route-map unwanted
> !
> !
> ip access-list extended unwacl
> deny ip any any
> permit ip 192.168.1.0 0.0.0.255 any
> !
> !
> route-map unwanted permit 10
> match ip address unwacl
> set default interface Null0
> !
>
>
>
> Is this more optimal than a plain old access list? Is this used in any
> way?
>
>
> Regards,
> Mario
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
Warm Regards,
Mario A. Spinthiras
More information about the cisco-nsp
mailing list