|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Using Policy Routing to stop DoS attacks
> > > > i am not really sure what kind of traffic we are talking about, > > but if its around 100Mbits/sec or so bandwidth, TurboACL should do it just > > fine (around ~20% or lower CPU usage on a 7206VXR with NPE-G1) > > most likely the pps would kill the 5500 long before the bps :( especially > if you want to route/acl it. yea you're right.. for that "100Mbits/sec" bps i mentioned, the pps at that rate was around 20,000 pps inbound as well as 18,000 pps outbound. -hc > > > > > -hc > > > > On Tue, 25 Mar 2003, John Kristoff wrote: > > > > > > > > On Tue, 25 Mar 2003 09:06:01 -0500 > > > Christian Liendo <[email protected]> wrote: > > > > > > > I am sorry if this was discussed before, but I cannot seem to find > > > > this. I want to use source routing as a way to stop a DoS rather than > > > > use access-lists. > > > > > > If you fooled the router into thinking that the reverse path for the > > > source is on another another interface and then used strict unicast RPF > > > checking, that may accomplish what you want without using ACLs. I don't > > > know what impact it would have on your CPU however, you'll have to > > > investigate or provide more details. > > > > > > Note, depending on the platform and configuration, filters/ACLs may have > > > an insignficant impact on the CPU. If they don't, don't forget to > > > complain to your vendor. :-) > > > > > > John > > > > > > > > > >
|