[c-nsp] shaping > 128 mbps - asr9k

Lukas Tribus luky-37 at hotmail.com
Wed Nov 13 16:12:00 EST 2013


Hi!


> Thanks. I'm trying to slow down ddos attacks that use legitimate udp ports,
> do I really want to police my friendly udp traffic right along with my
> attack udp traffic? The line of thinking that I was running with was to
> merely slow down the udp traffic, not drop it completely. Basically, I'm
> getting ddos udp attacks in the realm of 2 and 3 gbps up to 2 hours in
> duration. This is killing my distribution networks feed at 1 gbps rates. I
> wanted to slow down (shape) udp on an on-going basis, so as to slow down the
> momentary udp attacks. Thoughts?

You don't slow down DoS by input shaping it. You police it.

What advantage do you have from input shaping it? Your friendly and legitimate
udp traffic will be dropped anyway if the attack traffic saturates the shaper.

You really should police this traffic, there is no point in queueing attack
traffic.

And you should spend more time in trying to figure out differences between
attack and legitimate traffic, and then you can use different policiers
depending on the likelihood of the match being an attack (look at things
like dst/src ports, ip and udp checksums, payload length, etc). This has
helped us a lot with non-sophisticated attacks.

With the less sophisticated attacks, if there is a static attribute in the
packet that you can exploit to match the packet and drop it, then EEM and FPM
helps you (but thats a cat-and-mouse game).



> This is killing my distribution networks feed at 1 gbps rates.

In an broadband/PPP environment, you can use "Per Session Queuing and
Shaping" [1], it will then only saturate the attacked subscriber, not
your access/distribution network.


[1] http://www.cisco.com/en/US/docs/ios/bbdsl/configuration/guide/bba_ppoe_ses_q_rad.html



Regards,

Lukas 		 	   		  


More information about the cisco-nsp mailing list