[57081] in North American Network Operators' Group
Re: Using Policy Routing to stop DoS attacks
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Fri Mar 28 11:00:22 2003
Date: Fri, 28 Mar 2003 15:59:41 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Andre Chapuis <chapuis@ip-plus.net>
Cc: Christian Liendo <cliendo@globix.com>, <nanog@merit.edu>
In-Reply-To: <5.1.1.6.2.20030328150430.064c46e0@imap.ip-plus.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, 28 Mar 2003, Andre Chapuis wrote:
>
> We could ask Cisco and Juniper to add a way of 'artificially' remove
> networks from the CEF table (with an ACL or so). That way, even with
> loose-RPF, the packet will be dropped based on source-address at the
> ingress without consuming CPU.
Keep in mind that this functionality would still be held to the same set
of restrictions as uRPF... and you CAN accomplish this with a blackhole
setup on your network. By blackholing source prefixes you COULD get this
same effect.
> Or maybe such a feature already exist
it kind of does... though with some real routing goo, not via an acl.
> Andr=E9
>
> At 09:06 25.03.2003 -0500, Christian Liendo wrote:
>
> >Looking for advice.
> >
> >I am sorry if this was discussed before, but I cannot seem to find this.
> >I want to use source routing as a way to stop a DoS rather than use acce=
ss-lists.
> >
> >In other words, lets say I know the source IP (range of IPs) of an attac=
k and they do not change.
> >
> >If the destination stays the same I can easily null route the destinatio=
n, but what if the destination constantly changes. So I have to work based =
on the source IP.
> >
> >Depending on the router and the code, if I implement an access-list then=
the CPU utilization shoots through the roof.
> >What I would like to try and do is use source routing to route that traf=
fic to null. I figured it would be easier on the router than an access-list=
=2E
> >
> >Has anyone else tried this successfully on ciscos and junipers?
> >Is it easier on the CPU than access-lists?
> >Is there a link I cannot find on cisco or google?
> >
> >Thanks
> >Christian Liendo
> >
>
> ---------------------
> Andre Chapuis
> IP+ Engineering
> Swisscom Ltd
> Genfergasse 14
> 3050 Bern
> +41 31 893 89 61
> chapuis@ip-plus.net
> CCIE #6023
> ----------------------
>
