Re: Using Policy Routing to stop DoS attacks

[Haesu <haesu () towardex com>]

uRPF will certainly save a bit of CPU cycles than access-lists or policy
routing.. it would be intertesting to know any kind of 'common practice'
ways people use to fool the router so that it will think such offensive
source IP's are hitting uRPF.

i am not really sure what kind of traffic we are talking about,
but if its around 100Mbits/sec or so bandwidth, TurboACL should do it just
fine (around ~20% or lower CPU usage on a 7206VXR with NPE-G1)

-hc

On Tue, 25 Mar 2003, John Kristoff wrote:

> On Tue, 25 Mar 2003 09:06:01 -0500
> Christian Liendo <cliendo () globix com> wrote:
>
> > I am sorry if this was discussed before, but I cannot seem to find
> > this. I want to use source routing as a way to stop a DoS rather than
> > use access-lists.
>
> If you fooled the router into thinking that the reverse path for the
> source is on another another interface and then used strict unicast RPF
> checking, that may accomplish what you want without using ACLs.  I don't
> know what impact it would have on your CPU however, you'll have to
> investigate or provide more details.
>
> Note, depending on the platform and configuration, filters/ACLs may have
> an insignficant impact on the CPU.  If they don't, don't forget to
> complain to your vendor.  :-)
>
> John