Using Policy Routing to stop DoS attacks

Petri Helenius pete at he.iki.fi
Fri Mar 28 22:05:05 UTC 2003


With Juniper gear there is no performance difference between what you propose
and an ACL, both run at wire rate. So implementing "CPU saving measures" is pointless
waste of time.

Pete

>
> We could ask Cisco and Juniper to add a way of 'artificially' remove networks from the CEF table (with an ACL or so). That way,
even with loose-RPF, the packet will be dropped based on source-address at the ingress without consuming CPU.
> Or maybe such a feature already exist
> André
>
> At 09:06 25.03.2003 -0500, Christian Liendo wrote:
>
> >Looking for advice.
> >
> >I am sorry if this was discussed before, but I cannot seem to find this.
> >I want to use source routing as a way to stop a DoS rather than use access-lists.
> >
> >In other words, lets say I know the source IP (range of IPs) of an attack and they do not change.
> >
> >If the destination stays the same I can easily null route the destination, but what if the destination constantly changes. So I
have to work based on the source IP.
> >
> >Depending on the router and the code, if I implement an access-list then the CPU utilization shoots through the roof.
> >What I would like to try and do is use source routing to route that traffic to null. I figured it would be easier on the router
than an access-list.
> >
> >Has anyone else tried this successfully on ciscos and junipers?
> >Is it easier on the CPU than access-lists?
> >Is there a link I cannot find on cisco or google?
> >
> >Thanks
> >Christian Liendo
> >
>
> ---------------------
> Andre Chapuis
> IP+ Engineering
> Swisscom Ltd
> Genfergasse 14
> 3050 Bern
> +41 31 893 89 61
> chapuis at ip-plus.net
> CCIE #6023
> ----------------------
>
>




More information about the NANOG mailing list