Using Policy Routing to stop DoS attacks
Christian Liendo
cliendo at globix.com
Tue Mar 25 14:06:01 UTC 2003
Looking for advice.
I am sorry if this was discussed before, but I cannot seem to find this.
I want to use source routing as a way to stop a DoS rather than use
access-lists.
In other words, lets say I know the source IP (range of IPs) of an attack
and they do not change.
If the destination stays the same I can easily null route the destination,
but what if the destination constantly changes. So I have to work based on
the source IP.
Depending on the router and the code, if I implement an access-list then
the CPU utilization shoots through the roof.
What I would like to try and do is use source routing to route that traffic
to null. I figured it would be easier on the router than an access-list.
Has anyone else tried this successfully on ciscos and junipers?
Is it easier on the CPU than access-lists?
Is there a link I cannot find on cisco or google?
Thanks
Christian Liendo
More information about the NANOG
mailing list