|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Using Policy Routing to stop DoS attacks
Haesu wrote: > I dunno how you want to implement this; but as far as I know, the way > most people generally do policy routing on cisco thru routemap is > they define > the source IP's via access-list... Does that make a huge difference > than regular access lists? I dunno... > > I've kinda tested it in the lab with two 7206's and CPU load seems to > be about the same when done with regular access-list and done with > policy routing.. But, I don't have the true real data to back up my > claims.. > On a live production network under DOS attack, access-lists applied to the inbound interfaces is less CPU load than switching the packet on a 7206 running 12.0(x)S code. Policy routing, even with ip route-cache policy is an increase in load. This is especially true when using extended access lists for say port 80 redirects. This was noted when doing special caching policies before our load exceeded what the ArrowPoint and the 7206 cpu's could handle. FYI: one of my DOS attacks was a PPS attack, and since the packets were small and not using bandwidth, blocking via access-list recovered the network completely with little notice of CPU load over normal traffic. Apparently a 7206 can block more PPS than it can switch. -- Jack Bates Network Engineer BrightNet Oklahoma
|