nanog mailing list archives
Re: Using Policy Routing to stop DoS attacks
From: "Petri Helenius" <pete () he iki fi>
Date: Sat, 29 Mar 2003 00:05:05 +0200
With Juniper gear there is no performance difference between what you propose and an ACL, both run at wire rate. So implementing "CPU saving measures" is pointless waste of time. Pete
We could ask Cisco and Juniper to add a way of 'artificially' remove networks from the CEF table (with an ACL or so). That way,
even with loose-RPF, the packet will be dropped based on source-address at the ingress without consuming CPU.
Or maybe such a feature already exist André At 09:06 25.03.2003 -0500, Christian Liendo wrote:Looking for advice. I am sorry if this was discussed before, but I cannot seem to find this. I want to use source routing as a way to stop a DoS rather than use access-lists. In other words, lets say I know the source IP (range of IPs) of an attack and they do not change. If the destination stays the same I can easily null route the destination, but what if the destination constantly changes. So I
have to work based on the source IP.
Depending on the router and the code, if I implement an access-list then the CPU utilization shoots through the roof. What I would like to try and do is use source routing to route that traffic to null. I figured it would be easier on the router
than an access-list.
Has anyone else tried this successfully on ciscos and junipers? Is it easier on the CPU than access-lists? Is there a link I cannot find on cisco or google? Thanks Christian Liendo--------------------- Andre Chapuis IP+ Engineering Swisscom Ltd Genfergasse 14 3050 Bern +41 31 893 89 61 chapuis () ip-plus net CCIE #6023 ----------------------
Current thread:
- Re: Using Policy Routing to stop DoS attacks, (continued)
- Re: Using Policy Routing to stop DoS attacks Haesu (Mar 25)
- Re: Using Policy Routing to stop DoS attacks fingers (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Christopher L. Morrow (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Haesu (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Haesu (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Christopher L. Morrow (Mar 25)
- RE: Using Policy Routing to stop DoS attacks Jim Deleskie (Mar 25)
- RE: Using Policy Routing to stop DoS attacks Christopher L. Morrow (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Andre Chapuis (Mar 28)
- Re: Using Policy Routing to stop DoS attacks Charles H. Gucker (Mar 28)
- Re: Using Policy Routing to stop DoS attacks Christopher L. Morrow (Mar 28)
- Re: Using Policy Routing to stop DoS attacks Petri Helenius (Mar 28)