nanog mailing list archives

RE: UDP DoS mitigation?

From: Ian Henderson <ianh () chime net au>
Date: Sun, 14 Dec 2008 12:02:20 +0900

Rick Ernst wrote on 2008-12-13:

- This instance was a DoS, not DDoS.  Single source and destination,
but
  the source (assuming no spoofing) was in Italy.  Turning off netflow
  seemed to help, but the attack itself stopped at about the same time.


Before moving to hardware based platforms, we used a lot of G1s on sticks. One of the advantages of this is the ability 
to filter DOS traffic on the switch in front of the router - anything 2950 or higher (with L3 snooping capabilities) 
can do this with an access list.

Router1 Gi0/1 ----- Gi0/1 Switch1 Gi0/2 ----- Upstream

On Switch1 configure something like:

        access-list 100 deny ip host x.x.x.x
        access-list 100 permit ip any any

        interface GigabitEthernet0/2
         ip access-group 100 in

So if your topology allows for it, this is a great short term fix. Note that this means you lose high speed convergence 
due to immediate link state notifications, and should use aggressive timers to compensate.


--
Ian Henderson, CCIE #14721
Senior Network Engineer, iiNet Limited

Current thread:

UDP DoS mitigation? Rick Ernst (Dec 12)
- Re: UDP DoS mitigation? Roland Dobbins (Dec 12)
- RE: UDP DoS mitigation? David Kotlerewsky (Dec 12)
  - Re: UDP DoS mitigation? Roland Dobbins (Dec 12)
- RE: UDP DoS mitigation? Matthew Huff (Dec 12)
- Re: UDP DoS mitigation? Rick Ernst (Dec 12)
  - RE: UDP DoS mitigation? Ian Henderson (Dec 13)
- Re: UDP DoS mitigation? Florian Weimer (Dec 14)