[nsp-sec] Recent 20 Gbps microburst DoS attack
J. Chambers
jchambers at ucla.edu
Fri Dec 22 13:38:19 EST 2017
On 12/22/17 17:40, Nick Hilliard wrote:
>
> we've observed that most ddos traffic contains a small % of packets
> which are marked with dscp > 48, which will be forwarded with precedence
> over network traffic (ospf, bgp, isis, etc). You may want to consider
> rewriting dscp on your network ingress points to drop the qos values on
> those frames to junk, as you shouldn't really be getting any ingress
> traffic marked with that high priority. Obviously, you'll need to be
> careful with bgp traffic to your upstreams.
>
I think you're right, I ran a quick aggregation on some flows from our
internal routers and it shows some of the traffic had tos values of 32
and 4.
If I understand that correctly that means 32 = CS2 (Immediate) and 4 =
CS5 (Critical).
--Jason
More information about the nsp-security
mailing list