[c-nsp] BGP session going down during DDOS
Dobbins, Roland
rdobbins at arbor.net
Sun Mar 9 21:08:12 EDT 2014
On Mar 10, 2014, at 2:41 AM, redscorpion69 <redscorpion69 at gmail.com> wrote:
> Filters don't allow BGP sessions to our PE router.
You might want to double-check that your iACLs are up-to-date, that you've enabled GTSM, that you've enabled CoPP, etc.
What make/model/OS/train/revision/linecard?
> By the way, what IS the best way to defend against this huge amount of traffic? You can't really place policers at the edge of the network, it's
> cumbersome and prone to errors.
Sure you can. Police down UDP/123 traffic which isn't 76 bytes in size down to a 1mb/sec aggregate or thereabouts, or UDP/123 traffic which is greater than 400 bytes in size down to a 1mb/sec aggregate, or thereabouts.
I prefer the former, but YMMV.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the cisco-nsp
mailing list