Re: Using Policy Routing to stop DoS attacks

[Haesu <haesu () towardex com>]

I dunno how you want to implement this; but as far as I know, the way most
people generally do policy routing on cisco thru routemap is they define
the source IP's via access-list... Does that make a huge difference than
regular access lists? I dunno...

I've kinda tested it in the lab with two 7206's and CPU load seems to be
about the same when done with regular access-list and done with policy
routing.. But, I don't have the true real data to back up my claims..

-hc

On Tue, 25 Mar 2003, Christian Liendo wrote:

> Looking for advice.
>
> I am sorry if this was discussed before, but I cannot seem to find this.
> I want to use source routing as a way to stop a DoS rather than use
> access-lists.
>
> In other words, lets say I know the source IP (range of IPs) of an attack
> and they do not change.
>
> If the destination stays the same I can easily null route the destination,
> but what if the destination constantly changes. So I have to work based on
> the source IP.
>
> Depending on the router and the code, if I implement an access-list then
> the CPU utilization shoots through the roof.
> What I would like to try and do is use source routing to route that traffic
> to null. I figured it would be easier on the router than an access-list.
>
> Has anyone else tried this successfully on ciscos and junipers?
> Is it easier on the CPU than access-lists?
> Is there a link I cannot find on cisco or google?
>
> Thanks
> Christian Liendo