[c-nsp] Surviving denial of service from certain IPs
Peter Rathlev
peter at rathlev.dk
Fri Jul 25 09:24:22 EDT 2008
On Fri, 2008-07-25 at 15:31 +0300, Mario Spinthiras wrote:
> What I want to know is how would route-map methods effectively help stop
> such attacks and what the resource usage comparison is when putting ACLs and
> other methods on the scale. uRPF is all very nice but what about something
> along the lines of a 100 Mbps stub network?
I'd go for the access lists, since they are made for exactly that. In a
debugging situation the ACL would, for me, be the more logical choice to
look for.
I'm not sure, but I have this feeling that ACLs are also more effective
with regard to performance than route-maps. I'd almost bet that
route-maps are at least not _more_ optimal than ACLs.
> > interface FastEthernet0/0
> > ip policy route-map unwanted
> > !
> > ip access-list extended unwacl
> > deny ip any any
> > permit ip 192.168.1.0 0.0.0.255 any
> > !
Since "any" also matches 192.168.1.0/24 the above would not work as
intended. You probably want to swap the two ACL lines.
> > route-map unwanted permit 10
> > match ip address unwacl
> > set default interface Null0
> > !
Wouldn't "set default interface" only be used if you have no specific
(e.g. connected) route to the destination? If you want to throw traffic
away it should be "set interface" I think.
Regards,
Peter
More information about the cisco-nsp
mailing list