nanog mailing list archives
Re: Using Policy Routing to stop DoS attacks
From: Andre Chapuis <chapuis () ip-plus net>
Date: Fri, 28 Mar 2003 15:08:44 +0100
We could ask Cisco and Juniper to add a way of 'artificially' remove networks from the CEF table (with an ACL or so). That way, even with loose-RPF, the packet will be dropped based on source-address at the ingress without consuming CPU. Or maybe such a feature already exist André At 09:06 25.03.2003 -0500, Christian Liendo wrote:
Looking for advice. I am sorry if this was discussed before, but I cannot seem to find this. I want to use source routing as a way to stop a DoS rather than use access-lists. In other words, lets say I know the source IP (range of IPs) of an attack and they do not change. If the destination stays the same I can easily null route the destination, but what if the destination constantly changes. So I have to work based on the source IP. Depending on the router and the code, if I implement an access-list then the CPU utilization shoots through the roof. What I would like to try and do is use source routing to route that traffic to null. I figured it would be easier on the router than an access-list. Has anyone else tried this successfully on ciscos and junipers? Is it easier on the CPU than access-lists? Is there a link I cannot find on cisco or google? Thanks Christian Liendo
--------------------- Andre Chapuis IP+ Engineering Swisscom Ltd Genfergasse 14 3050 Bern +41 31 893 89 61 chapuis () ip-plus net CCIE #6023 ----------------------
Current thread:
- Re: Using Policy Routing to stop DoS attacks, (continued)
- Re: Using Policy Routing to stop DoS attacks Jack Bates (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Rafi Sadowsky (Mar 25)
- Re: Using Policy Routing to stop DoS attacks John Kristoff (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Haesu (Mar 25)
- Re: Using Policy Routing to stop DoS attacks fingers (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Christopher L. Morrow (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Haesu (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Haesu (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Christopher L. Morrow (Mar 25)
- RE: Using Policy Routing to stop DoS attacks Jim Deleskie (Mar 25)
- RE: Using Policy Routing to stop DoS attacks Christopher L. Morrow (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Andre Chapuis (Mar 28)
- Re: Using Policy Routing to stop DoS attacks Charles H. Gucker (Mar 28)
- Re: Using Policy Routing to stop DoS attacks Christopher L. Morrow (Mar 28)
- Re: Using Policy Routing to stop DoS attacks Petri Helenius (Mar 28)