[c-nsp] Prevent DDoS

Paul Wozney paul at wozney.ca
Mon Mar 14 13:28:14 EDT 2011 

>
> All you can do for this type of attack is react and mitigate it with
> filtering by your internet provider(s).
>
> I recently did a little write-up on one method for this, BGP triggered real
> time blackhole routing.
>
> http://jonsblog.lewis.org/2011/02/05#blackhole


Agreed, setting up BGP blackhole routing with your provider can at least
ensure that the bandwidth soaked up with a DDoS is not sent down to your CPE
hardware.  This means that if you're paying per-GB then you're not wasting
money on DDoS bandwidth.

The basic premise behind BGP blackhole routing is that the target IP gets
blackhole routed at the provider.  It doesn't prevent the DDoS at all so the
target system is still offline - it is more of a risk-mitigation strategy to
keep the rest of your network alive during an attack.

Keep in mind that some providers have a limitation on the number of
advertised routes; I have a customer who loves this system and he blackholed
too many /32s (I think his limit was 40 advertised routes) and it triggered
an automated response at the provider...which disabled the BGP instance
facing the customer.  Just ensure you know the parameters you're working
with.

---
Paul Wozney
Network Consultant
phone: +1 604-629-9975
toll free: +1 866-748-0516
email: paul at wozney.ca
web: http://wozney.ca




> On Mon, 14 Mar 2011, Ziv Leyes wrote:
>
>  The only way to _prevent_ DDoS attacks is to get your hands on those that
>> are planning to attack you and kick their arse before they run the DDoS.
>>
>> Once the attack is delivered, the only thing you can do is to mitigate it
>> and wait till it's over...
>> A mix of good configured control-plane policy on your core with uRPF
>> towards the outside and a blackhole device is the most feasible way without
>> having to buy a dedicated device to protect you
>>
>> Sorry for putting emphasis on semantics... :-)
>>
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:
>> cisco-nsp-bounces at puck.nether.net] On Behalf Of Tseveendorj
>> Sent: Monday, March 14, 2011 10:36 AM
>> To: cisco-nsp
>> Subject: [c-nsp] Prevent DDoS
>>
>> Hello,
>>
>> Is there anyway to prevent DDoS attack on Cisco Router?
>>
>> regards,
>> Tseveen.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>>
>> ************************************************************************************
>> This footnote confirms that this email message has been scanned by PineApp
>> Mail-SeCure for the presence of malicious code, vandals & computer viruses.
>>
>> ************************************************************************************
>>
>>
>>
>>
>> The information contained in this e-mail message and its attachments is
>> confidential information intended only for the use of the individual or
>> entity named above. If the reader of this message is not the intended
>> recipient, you are hereby notified that any dissemination, distribution or
>> copying of this communication is strictly prohibited. If you have received
>> this communication in error, please notify us immediately by replying to the
>> sender, and then delete the message from your computer.  Thank you!
>>
>> ******** This mail was sent via Mail-SeCure System.********
>>
>>
>>
>>
>>
>>
>> ************************************************************************************
>> This footnote confirms that this email message has been scanned by
>> PineApp Mail-SeCure for the presence of malicious code, vandals & computer
>> viruses.
>>
>> ************************************************************************************
>>
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
> ----------------------------------------------------------------------
>  Jon Lewis, MCP :)           |  I route
>  Senior Network Engineer     |  therefore you are
>  Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list