[c-nsp] Safer DDOS drops
Peter Kranz
pkranz at unwiredltd.com
Fri Apr 8 16:18:40 EDT 2011
So today one of our customers was being hit with a DDOS attack with the
following signature; basically a bunch of UDP junk of about 5 Gbps in
volume..
2011-04-08 12:31:49.504 8.832 UDP 58.64.147.47:0 -> xxxxx:0
2048 3.0 M 1
2011-04-08 12:31:49.822 8.640 UDP 193.142.209.170:0 -> xxxx:0
66560 98.2 M 1
2011-04-08 12:31:49.825 8.704 UDP 220.95.232.243:0 -> xxxxx:0
67584 100.0 M 1
2011-04-08 12:31:49.823 8.704 UDP 84.22.33.10:0 -> xxxxx:0
69632 102.7 M 1
2011-04-08 12:31:49.825 8.704 UDP 85.25.34.83:0 -> xxxxx:0
71680 106.5 M 1
2011-04-08 12:31:49.824 8.704 UDP 85.206.6.48:0 -> xxxxx:0
55296 81.9 M 1
2011-04-08 12:31:49.889 8.704 UDP 222.114.174.86:0 -> xxxx:0
67584 101.3 M 1
2011-04-08 12:31:49.887 8.704 UDP 193.226.98.10:0 -> xxxxx:0
69632 103.1 M 1
2011-04-08 12:31:49.887 8.704 UDP 85.234.235.135:0 -> xxxx:0
316416 466.7 M 1
2011-04-08 12:31:49.888 8.704 UDP 92.243.75.90:0 -> xxxx:0
62464 92.1 M 1
2011-04-08 12:31:49.954 8.704 UDP 72.55.140.164:0 -> xxxx:0
6144 9.1 M 1
The device facing the customer is a 6500 with a Sup720-3BXL running
12.2(33)SXI3..
Attempted to alleviate the customer port congestion by adding the following
to the port (an etherchannel made up of 2 1G ports on a WS-X6516-GBIC)
access-list 101 remark DOS Attack blocker
access-list 101 deny udp any host 208.71.159.144
access-list 101 permit ip any any
ip access-group 101 out
After doing this the router basically froze and died.. only responded to
pings sporadically, and its BGP and HSRP sessions all kept flapping until we
got in during a lull and removed the access-group. Is there a better way to
handle filtering a high volume traffic stream on a 6500 that won't kill the
rest of the device?
I've also got a WS-X6724-SFP in the device that's available
Peter Kranz
Founder/CEO - Unwired Ltd
www.UnwiredLtd.com
Desk: 510-868-1614 x100
Mobile: 510-207-0000
pkranz at unwiredltd.com
More information about the cisco-nsp
mailing list