[c-nsp] Safer DDOS drops

Peter Kranz pkranz at unwiredltd.com
Mon Apr 11 21:37:38 EDT 2011


We verified that UDP fragments were not required by anything it was doing so
it was straight forward... so after initially filtering UDP fragments, in
the end we just blocked UDP completely to the device under attack.

-peter

-----Original Message-----
From: Drew Weaver [mailto:drew.weaver at thenap.com] 
Sent: Friday, April 08, 2011 6:44 PM
To: 'Peter Kranz'
Subject: RE: [c-nsp] Safer DDOS drops

Peter,

What did you end up using to filter fragments?

We see a lot of these UDP 0 looking attacks and we've been reluctant to drop
all fragments because it breaks all kinds of legitimate protocols.

thanks,
-Drew


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Kranz
Sent: Friday, April 08, 2011 6:45 PM
To: 'Peter Rathlev'
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Safer DDOS drops

Brandon, Peter, Phil thanks..

I removed 'ip accounting access-violations', used the fragments filter, and
changed to ' mls rate-limit unicast ip icmp unreachable acl-drop 0' ..
another >5Gbps attack in progress currently, but router CPU is happy and
customer still in service.

-peter




_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list