Re: Using Policy Routing to stop DoS attacks

["Charles H. Gucker" <cgucker () cv net>]

Andre,
        Actually it already exists.  But to do it, you need
to ensure you have loose-RPF checking enabled and null-route
the network you want the data dropped for.  Since a null-route
is considered by loose-RPF checking as a "bad" route, it will
drop the data for you.

thanks,
charles


On Fri, Mar 28, 2003 at 03:08:44PM +0100, Andre Chapuis wrote:
> We could ask Cisco and Juniper to add a way of 'artificially' remove networks from the CEF table (with an ACL or so). 
> That way, even with loose-RPF, the packet will be dropped based on source-address at the ingress without consuming 
> CPU.
> Or maybe such a feature already exist
> André
>
> At 09:06 25.03.2003 -0500, Christian Liendo wrote:
>
> > Looking for advice.
> >
> > I am sorry if this was discussed before, but I cannot seem to find this.
> > I want to use source routing as a way to stop a DoS rather than use access-lists.
> >
> > In other words, lets say I know the source IP (range of IPs) of an attack and they do not change.
> >
> > If the destination stays the same I can easily null route the destination, but what if the destination constantly 
> > changes. So I have to work based on the source IP.
> >
> > Depending on the router and the code, if I implement an access-list then the CPU utilization shoots through the roof.
> > What I would like to try and do is use source routing to route that traffic to null. I figured it would be easier on 
> > the router than an access-list.
> >
> > Has anyone else tried this successfully on ciscos and junipers?
> > Is it easier on the CPU than access-lists?
> > Is there a link I cannot find on cisco or google?
> >
> > Thanks
> > Christian Liendo
>
> ---------------------
> Andre Chapuis
> IP+ Engineering
> Swisscom Ltd
> Genfergasse 14
> 3050 Bern
> +41 31 893 89 61
> chapuis () ip-plus net
> CCIE #6023
> ----------------------