Re: Using Policy Routing to stop DoS attacks

From: Andre Chapuis (no email)
Date: Fri Mar 28 2003 - 09:08:44 EST


We could ask Cisco and Juniper to add a way of 'artificially' remove networks from the CEF table (with an ACL or so). That way, even with loose-RPF, the packet will be dropped based on source-address at the ingress without consuming CPU.
Or maybe such a feature already exist
André

At 09:06 25.03.2003 -0500, Christian Liendo wrote:

>Looking for advice.
>
>I am sorry if this was discussed before, but I cannot seem to find this.
>I want to use source routing as a way to stop a DoS rather than use access-lists.
>
>In other words, lets say I know the source IP (range of IPs) of an attack and they do not change.
>
>If the destination stays the same I can easily null route the destination, but what if the destination constantly changes. So I have to work based on the source IP.
>
>Depending on the router and the code, if I implement an access-list then the CPU utilization shoots through the roof.
>What I would like to try and do is use source routing to route that traffic to null. I figured it would be easier on the router than an access-list.
>
>Has anyone else tried this successfully on ciscos and junipers?
>Is it easier on the CPU than access-lists?
>Is there a link I cannot find on cisco or google?
>
>Thanks
>Christian Liendo
>

---------------------
Andre Chapuis
IP+ Engineering
Swisscom Ltd
Genfergasse 14
3050 Bern
+41 31 893 89 61

CCIE #6023
----------------------








Hosted Email Solutions

Invaluement Anti-Spam DNSBLs



Powered By FreeBSD   Powered By FreeBSD