Effective ways to deal with DDoS attacks?

Thu May 2 17:25:25 UTC 2002

> http://www.cisco.com/warp/public/707/newsflash.html
> There are some limitations as to where uRPF works, SONET only on GSRs for
> example (thanks Cisco).  I believe it will work on 65xx (SUP1A and SUP2 I
> think) regardless of interface type.  Impact should be minimal, as it simply
> does a lookup in the CEF table, if the route isn't there it discards.

We're running 6509's - both Sup1a and Sup2 - with 10, 100, and GigE links
in a large campus environment.  We did have some problems with the Sup2's 
running hybrid code, but the Sup1a's were fine.  When we switched over to 
native IOS about six months ago, both the Sup1a's and Sup2's handled it 
without a problem or performance hit, even on some of our campus Gigabit links.  
Its a nice feature but, as someone already pointed out, its based on routing 
table entries so there is NO PROTECTION if someone on a subnet is spoofing the 
IP of another system on the same subnet.  Having said that, we use it more so
that we can quickly track the source of an attack if its originating on our
network rather than as a means to protect ourselves from the big, bad
Internet.  Once we know the source, we know for sure what router interface
its originating from, so we just start snooping traffic from that interface to
find the offending MAC and go from there...

Another limitation that we've found with uRPF is that it doesn't 
live well with multihomed systems (i.e. a host with two NIC's - each on 
a different subnet) because of the way most OS'es handle their
default gateways.  For anyone who is interested in our experience, drop me 
a note off list.  If you have a solution for this multihoming problem, PLEASE 
email me off-list.

Eric :)