RE: UDP DoS mitigation?

• From: Ian Henderson
• Date: Sat Dec 13 22:02:56 2008

• Accept-language: en-US, en-AU
• Acceptlanguage: en-US, en-AU
• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

Rick Ernst wrote on 2008-12-13:

> - This instance was a DoS, not DDoS.  Single source and destination,
> but
>   the source (assuming no spoofing) was in Italy.  Turning off netflow
>   seemed to help, but the attack itself stopped at about the same time.

Before moving to hardware based platforms, we used a lot of G1s on sticks. One of the advantages of this is the ability to filter DOS traffic on the switch in front of the router - anything 2950 or higher (with L3 snooping capabilities) can do this with an access list.

Router1 Gi0/1 ----- Gi0/1 Switch1 Gi0/2 ----- Upstream

On Switch1 configure something like:

        access-list 100 deny ip host x.x.x.x
        access-list 100 permit ip any any

        interface GigabitEthernet0/2
         ip access-group 100 in

So if your topology allows for it, this is a great short term fix. Note that this means you lose high speed convergence due to immediate link state notifications, and should use aggressive timers to compensate.


--
Ian Henderson, CCIE #14721
Senior Network Engineer, iiNet Limited

• References:
  • UDP DoS mitigation? Rick Ernst
  • Re: UDP DoS mitigation? Rick Ernst

• Prev by Date: Re: DDOS - How much is "too much"?
• Next by Date: Re: UDP DoS mitigation?
• Date Index
• Thread Index
• Author Index
• Historical