[c-nsp] Surviving denial of service from certain IPs

Peter Rathlev peter at rathlev.dk
Fri Jul 25 09:24:22 EDT 2008


On Fri, 2008-07-25 at 15:31 +0300, Mario Spinthiras wrote:
> What I want to know is how would route-map methods effectively help stop
> such attacks and what the resource usage comparison is when putting ACLs and
> other methods on the scale. uRPF is all very nice but what about something
> along the lines of a 100 Mbps stub network?

I'd go for the access lists, since they are made for exactly that. In a
debugging situation the ACL would, for me, be the more logical choice to
look for.

I'm not sure, but I have this feeling that ACLs are also more effective
with regard to performance than route-maps. I'd almost bet that
route-maps are at least not _more_ optimal than ACLs.

> > interface FastEthernet0/0
> >  ip policy route-map unwanted
> > !
> > ip access-list extended unwacl
> >  deny   ip any any
> >  permit ip 192.168.1.0 0.0.0.255 any
> > !

Since "any" also matches 192.168.1.0/24 the above would not work as
intended. You probably want to swap the two ACL lines.

> > route-map unwanted permit 10
> >  match ip address unwacl
> >  set default interface Null0
> > !

Wouldn't "set default interface" only be used if you have no specific
(e.g. connected) route to the destination? If you want to throw traffic
away it should be "set interface" I think.

Regards,
Peter




More information about the cisco-nsp mailing list