nanog mailing list archives
Re: Using Policy Routing to stop DoS attacks
From: Christian Liendo <cliendo () globix com>
Date: Tue, 25 Mar 2003 09:58:39 -0500
At 09:21 AM 3/25/2003 -0500, Haesu wrote:
Well yes, It seems that an IP deny is more process intensive than an IP permit. I do not claim to know why. I have just seen it myself.I dunno how you want to implement this; but as far as I know, the way most people generally do policy routing on cisco thru routemap is they define the source IP's via access-list... Does that make a huge difference than regular access lists? I dunno...
Anyway depending on the attack with large numbers of packets sometimes the CPU is so high you can get knocked off the router.
I wanted to see if policy routing is less taxing on the router.With the access-list for a policy route map you have a access-list permit, so I figured it might be less taxing.
While I have had this problem on different routers the ones I constantly have it on are Cisco Cat 5000s with RSMs(RSP4). I have tried different codes, I am currently at 12.04. But it's not a code issue. It's just a limitation of the router. I just need something less taxing on the router.Which Cisco router ? IOS ? HW/SW/CEF/netflow/<whatver> "IP switching" ?
I just need to know if anyone has already done this.
Current thread:
- Using Policy Routing to stop DoS attacks Christian Liendo (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Haesu (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Christian Liendo (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Jack Bates (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Rafi Sadowsky (Mar 25)
- Re: Using Policy Routing to stop DoS attacks John Kristoff (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Haesu (Mar 25)
- Re: Using Policy Routing to stop DoS attacks fingers (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Christopher L. Morrow (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Haesu (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Haesu (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Haesu (Mar 25)
- Re: Using Policy Routing to stop DoS attacks Christopher L. Morrow (Mar 25)
- <Possible follow-ups>
- RE: Using Policy Routing to stop DoS attacks Jim Deleskie (Mar 25)
- RE: Using Policy Routing to stop DoS attacks Christopher L. Morrow (Mar 25)