[c-nsp] DDoS help please

Mike mike-cisconsplist at tiedyenetworks.com
Tue Dec 11 14:19:08 EST 2012


Hi,

	I tried asking this question another way and don't think I made it 
clear what or why it was needed.

	I am an ISP and I have been seeing a customer IP address being targeted 
for a DDoS which appears to be an dns amplification attack. I checked 
the ip's of the servers sending packets and they all appear to be 
legitimate recusive resolvers that unfortunately don't limit queries to 
their own customer networks. On my side, I would like to impose a rule 
for this single customer that no dns traffic - other than from my own 
resolvers - is forwarded between this customer and the network. The 
customer is terminated with PPPoE on a 7201 and they have radius profile 
entry that includes 'Filter-Id' which contains a basic home user filter 
to deny crap traffic such as rfc1918 and such. I would like to be able 
to add an additional filter on top of this which includes deny all port 
53 except to/from my servers. I don't want to cut/paste and create a new 
access list for this customer, I just want to be able to add some 
additional rules on top of the default filter set. Surely there has to 
be a way to do this?

Mike-


More information about the cisco-nsp mailing list