Re: Using Policy Routing to stop DoS attacks

[Haesu <haesu () towardex com>]

> > i am not really sure what kind of traffic we are talking about,
> > but if its around 100Mbits/sec or so bandwidth, TurboACL should do it just
> > fine (around ~20% or lower CPU usage on a 7206VXR with NPE-G1)
>
> most likely the pps would kill the 5500 long before the bps :( especially
> if you want to route/acl it.

yea you're right.. for that "100Mbits/sec" bps i mentioned, the pps at
that rate was around 20,000 pps inbound as well as 18,000 pps outbound.

-hc

> > -hc
> >
> > On Tue, 25 Mar 2003, John Kristoff wrote:
> >
> > > On Tue, 25 Mar 2003 09:06:01 -0500
> > > Christian Liendo <cliendo () globix com> wrote:
> > >
> > > > I am sorry if this was discussed before, but I cannot seem to find
> > > > this. I want to use source routing as a way to stop a DoS rather than
> > > > use access-lists.
> > >
> > > If you fooled the router into thinking that the reverse path for the
> > > source is on another another interface and then used strict unicast RPF
> > > checking, that may accomplish what you want without using ACLs.  I don't
> > > know what impact it would have on your CPU however, you'll have to
> > > investigate or provide more details.
> > >
> > > Note, depending on the platform and configuration, filters/ACLs may have
> > > an insignficant impact on the CPU.  If they don't, don't forget to
> > > complain to your vendor.  :-)
> > >
> > > John