On Fri, 28 Mar 2003, Andre Chapuis wrote:
We could ask Cisco and Juniper to add a way of 'artificially' remove networks from the CEF table (with an ACL or so). That way, even with loose-RPF, the packet will be dropped based on source-address at the ingress without consuming CPU.
Keep in mind that this functionality would still be held to the same set of restrictions as uRPF... and you CAN accomplish this with a blackhole setup on your network. By blackholing source prefixes you COULD get this same effect.
Or maybe such a feature already exist
it kind of does... though with some real routing goo, not via an acl.
Andr�
At 09:06 25.03.2003 -0500, Christian Liendo wrote:
Looking for advice.
I am sorry if this was discussed before, but I cannot seem to find this. I want to use source routing as a way to stop a DoS rather than use access-lists.
In other words, lets say I know the source IP (range of IPs) of an attack and they do not change.
If the destination stays the same I can easily null route the destination, but what if the destination constantly changes. So I have to work based on the source IP.
Depending on the router and the code, if I implement an access-list then the CPU utilization shoots through the roof. What I would like to try and do is use source routing to route that traffic to null. I figured it would be easier on the router than an access-list.
Has anyone else tried this successfully on ciscos and junipers? Is it easier on the CPU than access-lists? Is there a link I cannot find on cisco or google?
Thanks Christian Liendo
--------------------- Andre Chapuis IP+ Engineering Swisscom Ltd Genfergasse 14 3050 Bern +41 31 893 89 61 chapuis@ip-plus.net CCIE #6023 ----------------------