[109891] in North American Network Operators' Group
RE: UDP DoS mitigation?
daemon@ATHENA.MIT.EDU (Ian Henderson)
Sat Dec 13 22:02:42 2008
From: Ian Henderson <ianh@chime.net.au>
To: "'ernst@easystreet.com'" <ernst@easystreet.com>, "nanog@nanog.org"
<nanog@nanog.org>
Date: Sun, 14 Dec 2008 12:02:20 +0900
In-Reply-To: <49833.69.30.17.85.1229114856.squirrel@www.woofpaws.com>
Errors-To: nanog-bounces@nanog.org
Rick Ernst wrote on 2008-12-13:
> - This instance was a DoS, not DDoS. Single source and destination,
> but
> the source (assuming no spoofing) was in Italy. Turning off netflow
> seemed to help, but the attack itself stopped at about the same time.
Before moving to hardware based platforms, we used a lot of G1s on sticks. =
One of the advantages of this is the ability to filter DOS traffic on the s=
witch in front of the router - anything 2950 or higher (with L3 snooping ca=
pabilities) can do this with an access list.
Router1 Gi0/1 ----- Gi0/1 Switch1 Gi0/2 ----- Upstream
On Switch1 configure something like:
access-list 100 deny ip host x.x.x.x
access-list 100 permit ip any any
interface GigabitEthernet0/2
ip access-group 100 in
So if your topology allows for it, this is a great short term fix. Note tha=
t this means you lose high speed convergence due to immediate link state no=
tifications, and should use aggressive timers to compensate.
--
Ian Henderson, CCIE #14721
Senior Network Engineer, iiNet Limited
