UDP DoS mitigation?

• Previous message (by thread): UDP DoS mitigation?
• Next message (by thread): UDP DoS mitigation?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rick Ernst wrote on 2008-12-13:

> - This instance was a DoS, not DDoS.  Single source and destination,
> but
>   the source (assuming no spoofing) was in Italy.  Turning off netflow
>   seemed to help, but the attack itself stopped at about the same time.

Before moving to hardware based platforms, we used a lot of G1s on sticks. One of the advantages of this is the ability to filter DOS traffic on the switch in front of the router - anything 2950 or higher (with L3 snooping capabilities) can do this with an access list.

Router1 Gi0/1 ----- Gi0/1 Switch1 Gi0/2 ----- Upstream

On Switch1 configure something like:

        access-list 100 deny ip host x.x.x.x
        access-list 100 permit ip any any

        interface GigabitEthernet0/2
         ip access-group 100 in

So if your topology allows for it, this is a great short term fix. Note that this means you lose high speed convergence due to immediate link state notifications, and should use aggressive timers to compensate.


--
Ian Henderson, CCIE #14721
Senior Network Engineer, iiNet Limited

• Previous message (by thread): UDP DoS mitigation?
• Next message (by thread): UDP DoS mitigation?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]