[c-nsp] Nice EEM applet to protect against certain DDoS situations (sup720)
bas
kilobit at gmail.com
Sat Aug 7 18:18:07 EDT 2010
Hi All,
We've had problems with certain DDoS situations for years now.
For more than half a year we've configured the applets below on our
6500's, it has proven to work great.
So I thought I'd share it on the list.
One of our bigger problems with our sup720's was when a customer would
receive a TCP SYN flood from lots of sources. And then decided to
remove the IP address from the server (or shut it down) After the ARP
entry expires from arp-cache every SYN packet would cause a glean
action for the CPU, and thereby overloading it and causing BGP and
OSPF flaps.
The standard solution is to use "mls rate-limit unicast cef glean yyyyy xx"
But we were seeing issues with static values.
Either the values would be too strict and drop "real" arp gleans (on
boxes with lots of hosts), or too loose thereby still overloading CPU
in case of a DDoS.
Then I found a nice example on wiki.nil.com, and modified it for our
purposes. (thanks Ivan!)
The following two applets configure strict glean values during high
CPU situations, and restore lower glean values when CPU load drops.
It also sends an email to a certain email address so you know the
applet was executed.
----
event manager environment _mail_smtp mail.yourdomain.com
event manager environment _mail_domain yourdomain.net
event manager environment _mail_rcpt noc at yourdomain.com
event manager session cli username "localuser"
event manager applet restore_glean
event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.4.1 get-type exact
entry-op le entry-val "35" exit-op ge exit-val "60" poll-interval 60
action 101 syslog priority notifications msg "Restoring high glean value"
action 102 cli command "enable"
action 103 cli command "config terminal"
action 104 cli command "mls rate-limit unicast cef glean 90000 200"
action 105 cli command "no mls qos protocol arp police 32000"
action 110 cli command "end"
event manager applet temp_low_glean
event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.4.1 get-type exact
entry-op ge entry-val "80" exit-op le exit-val "65" poll-interval 60
action 101 syslog priority notifications msg "Setting low glean due
to possible DDoS."
action 102 cli command "enable"
action 103 cli command "config t"
action 104 cli command "mls rate-limit unicast cef glean 30000 60"
action 105 cli command "mls qos protocol arp police 32000"
action 110 cli command "end"
action 200 cli command "sh processes cpu sorted 1min"
action 201 info type routername
action 202 mail server "$_mail_smtp" to "$_mail_rcpt" from
"$_info_routername@$_mail_domain" subject "Prolonged CPU Spikes" body
"$_cli_result"
----
Our boxes do aaa through tacacs and radius.
However we've configured a local user "localuser" so the script can
run even if aaa hosts are unreachable.
We;ve also configured the global arp policer, not due to the DDoS
described before, but because we've run into high CPU problems with
ARP storms too..
I hope some of you finds the above helpful.
Cya,
Bas
p.s. if you've disabled dns lookups do not forget to add a static
hosts entry for mail.yourdomain.com
More information about the cisco-nsp
mailing list