[c-nsp] Prevent DDoS
Jon Lewis
jlewis at lewis.org
Mon Mar 14 08:23:46 EDT 2011
Even dedicated(expensive) devices aren't going to prevent a DDoS from
impacting your network. The most common type of DDoS I've seen is packet
flooding. These typically utilize compromised/botted systems on broadband
or better internet connections or VPS/cloud computing resources with even
more bandwidth and can be in the several hundred Mbit/s to several Gbit/s
range. If you're hit with a DDoS that exceeds your internet capacity,
then all the router security configs and dedicated "DDoS prevention"
filtering devices aren't going to matter. All you can do for this type of
attack is react and mitigate it with filtering by your internet
provider(s).
I recently did a little write-up on one method for this, BGP triggered
real time blackhole routing.
http://jonsblog.lewis.org/2011/02/05#blackhole
On Mon, 14 Mar 2011, Ziv Leyes wrote:
> The only way to _prevent_ DDoS attacks is to get your hands on those that are planning to attack you and kick their arse before they run the DDoS.
>
> Once the attack is delivered, the only thing you can do is to mitigate it and wait till it's over...
> A mix of good configured control-plane policy on your core with uRPF towards the outside and a blackhole device is the most feasible way without having to buy a dedicated device to protect you
>
> Sorry for putting emphasis on semantics... :-)
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tseveendorj
> Sent: Monday, March 14, 2011 10:36 AM
> To: cisco-nsp
> Subject: [c-nsp] Prevent DDoS
>
> Hello,
>
> Is there anyway to prevent DDoS attack on Cisco Router?
>
> regards,
> Tseveen.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> ************************************************************************************
> This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
>
>
>
>
> The information contained in this e-mail message and its attachments is confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender, and then delete the message from your computer. Thank you!
>
> ******** This mail was sent via Mail-SeCure System.********
>
>
>
>
>
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list