UDP DoS mitigation?
ianh at chime.net.au
Sat Dec 13 21:02:20 CST 2008
Rick Ernst wrote on 2008-12-13:
> - This instance was a DoS, not DDoS. Single source and destination,
> the source (assuming no spoofing) was in Italy. Turning off netflow
> seemed to help, but the attack itself stopped at about the same time.
Before moving to hardware based platforms, we used a lot of G1s on sticks. One of the advantages of this is the ability to filter DOS traffic on the switch in front of the router - anything 2950 or higher (with L3 snooping capabilities) can do this with an access list.
Router1 Gi0/1 ----- Gi0/1 Switch1 Gi0/2 ----- Upstream
On Switch1 configure something like:
access-list 100 deny ip host x.x.x.x
access-list 100 permit ip any any
ip access-group 100 in
So if your topology allows for it, this is a great short term fix. Note that this means you lose high speed convergence due to immediate link state notifications, and should use aggressive timers to compensate.
Ian Henderson, CCIE #14721
Senior Network Engineer, iiNet Limited
More information about the NANOG