North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Using Policy Routing to stop DoS attacks

  • From: Petri Helenius
  • Date: Fri Mar 28 17:07:36 2003

With Juniper gear there is no performance difference between what you propose
and an ACL, both run at wire rate. So implementing "CPU saving measures" is pointless
waste of time.

Pete

>
> We could ask Cisco and Juniper to add a way of 'artificially' remove networks from the CEF table (with an ACL or so). That way,
even with loose-RPF, the packet will be dropped based on source-address at the ingress without consuming CPU.
> Or maybe such a feature already exist
> Andr�
>
> At 09:06 25.03.2003 -0500, Christian Liendo wrote:
>
> >Looking for advice.
> >
> >I am sorry if this was discussed before, but I cannot seem to find this.
> >I want to use source routing as a way to stop a DoS rather than use access-lists.
> >
> >In other words, lets say I know the source IP (range of IPs) of an attack and they do not change.
> >
> >If the destination stays the same I can easily null route the destination, but what if the destination constantly changes. So I
have to work based on the source IP.
> >
> >Depending on the router and the code, if I implement an access-list then the CPU utilization shoots through the roof.
> >What I would like to try and do is use source routing to route that traffic to null. I figured it would be easier on the router
than an access-list.
> >
> >Has anyone else tried this successfully on ciscos and junipers?
> >Is it easier on the CPU than access-lists?
> >Is there a link I cannot find on cisco or google?
> >
> >Thanks
> >Christian Liendo
> >
>
> ---------------------
> Andre Chapuis
> IP+ Engineering
> Swisscom Ltd
> Genfergasse 14
> 3050 Bern
> +41 31 893 89 61
> [email protected]
> CCIE #6023
> ----------------------
>
>