On Tue, 25 Mar 2003, Christian Liendo wrote:
Looking for advice.
I am sorry if this was discussed before, but I cannot seem to find this. I want to use source routing as a way to stop a DoS rather than use access-lists.
you can null route it also.
In other words, lets say I know the source IP (range of IPs) of an attack and they do not change.
if you know the source, walk back to the source ingress and stop it there? Unless its a large number of sources in which case the null route should be applied.
If the destination stays the same I can easily null route the destination, but what if the destination constantly changes. So I have to work based on the source IP.
if the destination changes? Can you clarify that? You have attacks in which the destination changes inside a /24 or inside some larger netblock?
Depending on the router and the code, if I implement an access-list then the CPU utilization shoots through the roof.
Given your description of the problem so far I'm going to say you are using router vendor !J so policy routing (source routing) is guaranteed to do more harm than a simple acl would. Additionally, how large an acl are you trying to implement for this attack scenario? 'less is more' especially with DoS attack filtering.
What I would like to try and do is use source routing to route that traffic to null. I figured it would be easier on the router than an access-list.
How so? The same basic processing must be done for each packet if you policy route or acl... each packet must be pushed through an acl to an unnatural next-hop (null in the case of an acl or 'wrong interface' for policy routing)
Has anyone else tried this successfully on ciscos and junipers?
you theoretically COULD do this on a juniper, its making the problem much harder though.. .the juniper could just as easily filter it. POlicy routing on the cisco gear I've tried it on doesn't work well for high packetrate streams.
Is it easier on the CPU than access-lists?
no, not in anyway is it better than an acl.
Is there a link I cannot find on cisco or google?
for policy routing sure... http://smlnk.com/?MTAQBMRI there were a bunch more links as a result of: "Policy route" entered in the cisco.com search tool.
Thanks Christian Liendo