[56979] in North American Network Operators' Group
Re: Using Policy Routing to stop DoS attacks
daemon@ATHENA.MIT.EDU (Jack Bates)
Tue Mar 25 12:39:16 2003
From: "Jack Bates" <jbates@brightok.net>
To: "Haesu" <haesu@towardex.com>,
"Christian Liendo" <cliendo@globix.com>
Cc: <nanog@merit.edu>
Date: Tue, 25 Mar 2003 11:41:49 -0600
Errors-To: owner-nanog-outgoing@merit.edu
Haesu wrote:
> I dunno how you want to implement this; but as far as I know, the way
> most people generally do policy routing on cisco thru routemap is
> they define
> the source IP's via access-list... Does that make a huge difference
> than regular access lists? I dunno...
>
> I've kinda tested it in the lab with two 7206's and CPU load seems to
> be about the same when done with regular access-list and done with
> policy routing.. But, I don't have the true real data to back up my
> claims..
>
On a live production network under DOS attack, access-lists applied to the
inbound interfaces is less CPU load than switching the packet on a 7206
running 12.0(x)S code. Policy routing, even with ip route-cache policy is an
increase in load. This is especially true when using extended access lists
for say port 80 redirects. This was noted when doing special caching
policies before our load exceeded what the ArrowPoint and the 7206 cpu's
could handle. FYI: one of my DOS attacks was a PPS attack, and since the
packets were small and not using bandwidth, blocking via access-list
recovered the network completely with little notice of CPU load over normal
traffic. Apparently a 7206 can block more PPS than it can switch.
--
Jack Bates
Network Engineer
BrightNet Oklahoma
