Using Policy Routing to stop DoS attacks

• Previous message (by thread): Using Policy Routing to stop DoS attacks
• Next message (by thread): Using Policy Routing to stop DoS attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 25 Mar 2003, Christian Liendo wrote:

>
> Looking for advice.
>
> I am sorry if this was discussed before, but I cannot seem to find this.
> I want to use source routing as a way to stop a DoS rather than use
> access-lists.

you can null route it also.

>
> In other words, lets say I know the source IP (range of IPs) of an attack
> and they do not change.
>

if you know the source, walk back to the source ingress and stop it there?
Unless its a large number of sources in which case the null route should
be applied.

> If the destination stays the same I can easily null route the destination,
> but what if the destination constantly changes. So I have to work based on
> the source IP.
>

if the destination changes? Can you clarify that? You have attacks in
which the destination changes inside a /24 or inside some larger netblock?

> Depending on the router and the code, if I implement an access-list then
> the CPU utilization shoots through the roof.

Given your description of the problem so far I'm going to say you are
using router vendor !J so policy routing (source routing) is guaranteed to
do more harm than a simple acl would. Additionally, how large an acl are
you trying to implement for this attack scenario? 'less is more'
especially with DoS attack filtering.

> What I would like to try and do is use source routing to route that traffic
> to null. I figured it would be easier on the router than an access-list.
>

How so? The same basic processing must be done for each packet if you
policy route or acl... each packet must be pushed through an acl to an
unnatural next-hop (null in the case of an acl or 'wrong interface' for
policy routing)

> Has anyone else tried this successfully on ciscos and junipers?

you theoretically COULD do this on a juniper, its making the problem much
harder though.. .the juniper could just as easily filter it. POlicy
routing on the cisco gear I've tried it on doesn't work well for high
packetrate streams.

> Is it easier on the CPU than access-lists?

no, not in anyway is it better than an acl.

> Is there a link I cannot find on cisco or google?
>

for policy routing sure... http://smlnk.com/?MTAQBMRI
there were a bunch more links as a result of: "Policy route" entered in
the cisco.com search tool.

> Thanks
> Christian Liendo
>

• Previous message (by thread): Using Policy Routing to stop DoS attacks
• Next message (by thread): Using Policy Routing to stop DoS attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]