North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Using Policy Routing to stop DoS attacks
I dunno how you want to implement this; but as far as I know, the way most people generally do policy routing on cisco thru routemap is they define the source IP's via access-list... Does that make a huge difference than regular access lists? I dunno... I've kinda tested it in the lab with two 7206's and CPU load seems to be about the same when done with regular access-list and done with policy routing.. But, I don't have the true real data to back up my claims.. -hc On Tue, 25 Mar 2003, Christian Liendo wrote: > > Looking for advice. > > I am sorry if this was discussed before, but I cannot seem to find this. > I want to use source routing as a way to stop a DoS rather than use > access-lists. > > In other words, lets say I know the source IP (range of IPs) of an attack > and they do not change. > > If the destination stays the same I can easily null route the destination, > but what if the destination constantly changes. So I have to work based on > the source IP. > > Depending on the router and the code, if I implement an access-list then > the CPU utilization shoots through the roof. > What I would like to try and do is use source routing to route that traffic > to null. I figured it would be easier on the router than an access-list. > > Has anyone else tried this successfully on ciscos and junipers? > Is it easier on the CPU than access-lists? > Is there a link I cannot find on cisco or google? > > Thanks > Christian Liendo > >
|