[c-nsp] Prevent DDoS

Jon Lewis jlewis at lewis.org
Mon Mar 14 08:23:46 EDT 2011


Even dedicated(expensive) devices aren't going to prevent a DDoS from 
impacting your network.  The most common type of DDoS I've seen is packet 
flooding.  These typically utilize compromised/botted systems on broadband 
or better internet connections or VPS/cloud computing resources with even 
more bandwidth and can be in the several hundred Mbit/s to several Gbit/s 
range.  If you're hit with a DDoS that exceeds your internet capacity, 
then all the router security configs and dedicated "DDoS prevention" 
filtering devices aren't going to matter.  All you can do for this type of 
attack is react and mitigate it with filtering by your internet 
provider(s).

I recently did a little write-up on one method for this, BGP triggered 
real time blackhole routing.

http://jonsblog.lewis.org/2011/02/05#blackhole

On Mon, 14 Mar 2011, Ziv Leyes wrote:

> The only way to _prevent_ DDoS attacks is to get your hands on those that are planning to attack you and kick their arse before they run the DDoS.
>
> Once the attack is delivered, the only thing you can do is to mitigate it and wait till it's over...
> A mix of good configured control-plane policy on your core with uRPF towards the outside and a blackhole device is the most feasible way without having to buy a dedicated device to protect you
>
> Sorry for putting emphasis on semantics... :-)
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tseveendorj
> Sent: Monday, March 14, 2011 10:36 AM
> To: cisco-nsp
> Subject: [c-nsp] Prevent DDoS
>
> Hello,
>
> Is there anyway to prevent DDoS attack on Cisco Router?
>
> regards,
> Tseveen.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> ************************************************************************************
> This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
>
>
>
>
> The information contained in this e-mail message and its attachments is confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender, and then delete the message from your computer.  Thank you!
>
> ******** This mail was sent via Mail-SeCure System.********
>
>
>
>
>
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

----------------------------------------------------------------------
  Jon Lewis, MCP :)           |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


More information about the cisco-nsp mailing list