|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Using Policy Routing to stop DoS attacks
Andre, Actually it already exists. But to do it, you need to ensure you have loose-RPF checking enabled and null-route the network you want the data dropped for. Since a null-route is considered by loose-RPF checking as a "bad" route, it will drop the data for you. thanks, charles On Fri, Mar 28, 2003 at 03:08:44PM +0100, Andre Chapuis wrote: > > We could ask Cisco and Juniper to add a way of 'artificially' remove networks from the CEF table (with an ACL or so). That way, even with loose-RPF, the packet will be dropped based on source-address at the ingress without consuming CPU. > Or maybe such a feature already exist > Andr� > > At 09:06 25.03.2003 -0500, Christian Liendo wrote: > > >Looking for advice. > > > >I am sorry if this was discussed before, but I cannot seem to find this. > >I want to use source routing as a way to stop a DoS rather than use access-lists. > > > >In other words, lets say I know the source IP (range of IPs) of an attack and they do not change. > > > >If the destination stays the same I can easily null route the destination, but what if the destination constantly changes. So I have to work based on the source IP. > > > >Depending on the router and the code, if I implement an access-list then the CPU utilization shoots through the roof. > >What I would like to try and do is use source routing to route that traffic to null. I figured it would be easier on the router than an access-list. > > > >Has anyone else tried this successfully on ciscos and junipers? > >Is it easier on the CPU than access-lists? > >Is there a link I cannot find on cisco or google? > > > >Thanks > >Christian Liendo > > > > --------------------- > Andre Chapuis > IP+ Engineering > Swisscom Ltd > Genfergasse 14 > 3050 Bern > +41 31 893 89 61 > [email protected] > CCIE #6023 > ---------------------- >
|