RE: Effective ways to deal with DDoS attacks?
chris@UU.NET disait :
have been on the receiving end of, the first was generating a little over 300mbit/sec (steady for a prolonged time), and the second went over
fair bit. In both cases, we had core equipment (M20's and BSN5000's) fall over and die trying to "work" the events. Additionally, our upstream
Try a compiled ACL on a 3 port gigE for some fun. -----Original Message----- From: Christopher L. Morrow [mailto:chris@UU.NET] Sent: Thursday, May 02, 2002 9:48 AM To: Vincent Gillet Cc: Christopher L. Morrow; measl@mfn.org; Pete Kruckenberg; nanog@merit.edu Subject: Re: Effective ways to deal with DDoS attacks? On Thu, 2 May 2002, Vincent Gillet wrote: that by a peers
Your M20 tipped over?? What were you doing? We regularly stop large (+100Mb->800Mb) attacks with less horsepower than this. Truthfully, a cisco is even capable of filtering (done right) at +200kpps...
On Cisco boxes, it depends too much on Interface type, LC Engine, IOS, ... etc ...
In this you have my whole-hearted agreement :( But, this goes back to 'know you systems, know their boundaries'. All of the people that work here (on our team) know what you can and can't do, we are effective in our jobs because of this. Sure your random NOC worker or even level3/4 NOC worker isn't going to know all the ins and outs of security thingy's on your backbone equipemt, that's why you pay 5-7 people to learn it :)
Beside, some features cannot run concurently (i remumber an ACL on GSR that make my netflow export stop .... it tooks days to figure this out
!!!)
Ha! :) try acl's on engine-2 cards with sub-interfaces! (like the triton gig card... cause no one would ever sub-interface a gig interface, right?)
ACL Implement on GSR is too a nightmare. We are operating more than 70 GSRs with very different interface, LC engine and IOS ...
Just 70? your live is easy then :) Really though, this is, in my opinion, the larges problem Cisco has to over come. They need to have the 'luxury' that Juniper has: One IOS, One implementation of commands, same commands everywhere... consistency I believe its called. Its not, obviously, going to happen overnight, but to their credit folks at cisco ARE working to make the security problem less of a problem. If you are having trouble getting your sales folk from cisco to listen/understand/pass-along-input you can look for their 'ISP Group' which I'm sure Barry Greene will be happy to properly name and provide contacts for, or perhaps they are in the sites he posted here before?
On Thu, 2 May 2002, LeBlanc, Jason wrote:
Try a compiled ACL on a 3 port gigE for some fun.
Last I recall the IOS didn't even have 'ip access-group' in the config of interfaces :( It took me like three hits of the 'tab' key at 'ip access-g' before I realized it just wasn't there ;(
participants (2)
-
Christopher L. Morrow
-
LeBlanc, Jason