|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Using Policy Routing to stop DoS attacks
On Tue, 25 Mar 2003, Haesu wrote: > > uRPF will certainly save a bit of CPU cycles than access-lists or policy that is HIGHLY dependent on the platform in question. For the stated 'router' (5500+rsm) I'd think the impact would be about the same as for an acl. 7500+RSP or 5500+RSM (which is pretty much a 7500+RSP) has to process switch all acl'd traffic, this includes uRPF traffic. There isn't the hardware processing available for this in these platforms. The 12000 or 6500 both (among others) have hardware acceleration for forwarding and route lookups. These are harnessed to make the uRPF work 'better' in said platforms. > routing.. it would be intertesting to know any kind of 'common practice' > ways people use to fool the router so that it will think such offensive > source IP's are hitting uRPF. you could hold blackhole routes for these destinations in your route table (local or bgp) So long as the destination for the source is bad (null for instance) the traffic would get dropped. I believe the proper terms from cisco for this are: "So long as the adjacency is invalid" ... > > i am not really sure what kind of traffic we are talking about, > but if its around 100Mbits/sec or so bandwidth, TurboACL should do it just > fine (around ~20% or lower CPU usage on a 7206VXR with NPE-G1) most likely the pps would kill the 5500 long before the bps :( especially if you want to route/acl it. > > -hc > > On Tue, 25 Mar 2003, John Kristoff wrote: > > > > > On Tue, 25 Mar 2003 09:06:01 -0500 > > Christian Liendo <[email protected]> wrote: > > > > > I am sorry if this was discussed before, but I cannot seem to find > > > this. I want to use source routing as a way to stop a DoS rather than > > > use access-lists. > > > > If you fooled the router into thinking that the reverse path for the > > source is on another another interface and then used strict unicast RPF > > checking, that may accomplish what you want without using ACLs. I don't > > know what impact it would have on your CPU however, you'll have to > > investigate or provide more details. > > > > Note, depending on the platform and configuration, filters/ACLs may have > > an insignficant impact on the CPU. If they don't, don't forget to > > complain to your vendor. :-) > > > > John > > > > >
|