North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Effective ways to deal with DDoS attacks?

  • From: LeBlanc, Jason
  • Date: Thu May 02 12:57:23 2002

Try a compiled ACL on a 3 port gigE for some fun.

-----Original Message-----
From: Christopher L. Morrow [mailto:[email protected]]
Sent: Thursday, May 02, 2002 9:48 AM
To: Vincent Gillet
Cc: Christopher L. Morrow; [email protected]; Pete Kruckenberg;
[email protected]
Subject: Re: Effective ways to deal with DDoS attacks?




On Thu, 2 May 2002, Vincent Gillet wrote:

> [email protected] disait :
>
> > > have been on the receiving end of, the first was generating a little
over
> > > 300mbit/sec (steady for a prolonged time), and the second went over
that by a
> > > fair bit.  In both cases, we had core equipment (M20's and BSN5000's)
fall
> > > over and die trying to "work" the events.  Additionally, our upstream
peers
> >
> > Your M20 tipped over?? What were you doing? We regularly stop large
> > (+100Mb->800Mb) attacks with less horsepower than this. Truthfully, a
> > cisco is even capable of filtering (done right) at +200kpps...
>
> On Cisco boxes, it depends too much on Interface type, LC Engine, IOS, ...
> etc ...

In this you have my whole-hearted agreement :( But, this goes back to
'know you systems, know their boundaries'. All of the people that work
here (on our team) know what you can and can't do, we are effective in our
jobs because of this. Sure your random NOC worker or even level3/4 NOC
worker isn't going to know all the ins and outs of security thingy's on
your backbone equipemt, that's why you pay 5-7 people to learn it :)

>
> Beside, some features cannot run concurently (i remumber an ACL on GSR
> that make my netflow export stop .... it tooks days to figure this out
!!!)
>

Ha! :) try acl's on engine-2 cards with sub-interfaces! (like the triton
gig card... cause no one would ever sub-interface a gig interface, right?)

> ACL Implement on GSR is too a nightmare.
> We are operating more than 70 GSRs with very different interface, LC
engine and IOS ...
>

Just 70? your live is easy then :) Really though, this is, in my opinion,
the larges problem Cisco has to over come. They need to have the 'luxury'
that Juniper has: One IOS, One implementation of commands, same commands
everywhere... consistency I believe its called.

Its not, obviously, going to happen overnight, but to their credit folks
at cisco ARE working to make the security problem less of a problem. If
you are having trouble getting your sales folk from cisco to
listen/understand/pass-along-input you can look for their 'ISP Group'
which I'm sure Barry Greene will be happy to properly name and provide
contacts for, or perhaps they are in the sites he posted here before?