UDP DoS mitigation?

Ian Henderson ianh at chime.net.au
Sat Dec 13 21:02:20 CST 2008


Rick Ernst wrote on 2008-12-13:

> - This instance was a DoS, not DDoS.  Single source and destination,
> but
>   the source (assuming no spoofing) was in Italy.  Turning off netflow
>   seemed to help, but the attack itself stopped at about the same time.

Before moving to hardware based platforms, we used a lot of G1s on sticks. One of the advantages of this is the ability to filter DOS traffic on the switch in front of the router - anything 2950 or higher (with L3 snooping capabilities) can do this with an access list.

Router1 Gi0/1 ----- Gi0/1 Switch1 Gi0/2 ----- Upstream

On Switch1 configure something like:

        access-list 100 deny ip host x.x.x.x
        access-list 100 permit ip any any

        interface GigabitEthernet0/2
         ip access-group 100 in

So if your topology allows for it, this is a great short term fix. Note that this means you lose high speed convergence due to immediate link state notifications, and should use aggressive timers to compensate.


--
Ian Henderson, CCIE #14721
Senior Network Engineer, iiNet Limited





More information about the NANOG mailing list