[56969] in North American Network Operators' Group
Re: Using Policy Routing to stop DoS attacks
daemon@ATHENA.MIT.EDU (Christian Liendo)
Tue Mar 25 10:01:28 2003
Date: Tue, 25 Mar 2003 09:58:39 -0500
To: <nanog@merit.edu>
From: Christian Liendo <cliendo@globix.com>
Cc: rafi-nanog@meron.openu.ac.il, haesu@towardex.com
In-Reply-To: <Pine.LNX.4.33.0303250920040.28569-100000@bkr.towardex.com>
Errors-To: owner-nanog-outgoing@merit.edu
At 09:21 AM 3/25/2003 -0500, Haesu wrote:
>I dunno how you want to implement this; but as far as I know, the way most
>people generally do policy routing on cisco thru routemap is they define
>the source IP's via access-list... Does that make a huge difference than
>regular access lists? I dunno...
Well yes, It seems that an IP deny is more process intensive than an IP
permit. I do not claim to know why. I have just seen it myself.
Anyway depending on the attack with large numbers of packets sometimes the
CPU is so high you can get knocked off the router.
I wanted to see if policy routing is less taxing on the router.
With the access-list for a policy route map you have a access-list permit,
so I figured it might be less taxing.
>Which Cisco router ? IOS ?
> HW/SW/CEF/netflow/<whatver> "IP switching" ?
While I have had this problem on different routers the ones I constantly
have it on are Cisco Cat 5000s with RSMs(RSP4). I have tried different
codes, I am currently at 12.04. But it's not a code issue. It's just a
limitation of the router. I just need something less taxing on the router.
I just need to know if anyone has already done this.
