05-12-2016 12:55 PM - edited 03-10-2019 12:39 AM
We currently have a set of Cisco 2900 series routers (2911, I believe) that handle our primary traffic. We've been subjected to a few DDoS attacks, but have worked to get a resolution on the UDP side. We're also currently looking into an alternate IPS solution that should give us better protection against both UDP and TCP based attacks. In the interim, I'm considering options that would help limit our vulnerability to TCP based attacks - TCP Intercept is one of those options.
From what I've read so far, I should be able to configure this on my 2900's. My question is: is there any risk associated with configuring this on these routers since they used for a primary connection into one of our datacenters? In the past, we've experienced attacks >10Gb against this 1Gb tunnel. I assume that if we get hit with anything that significant the TCP intercept probably won't help much as the router CPU is likely to peg out (unless I'm wrong about that)? Again, this would only be a short-term option until a better solution is put in place.
Thanks in advance,
Andrew
Solved! Go to Solution.
05-12-2016 10:37 PM
If you get hit with 10Gb/s of traffic and you have a 1Gb/s pipe nothing you can do on your end will make any difference. You would need help on the service provider side of the pipe to address it.
I don't believe a 2911 has sufficient CPU punch to process TCP intercepts at 1Gb/s - or even get slightly close. So yes, I think the CPU will well and truly peg out.
So in short, I agree with all your thoughts.
I would be looking at a Cisco ASA 5516 Firepower bundle, with some Firepower licences. Actually, maybe you should just jump directly to the 5555 Firepower bundle so you have plenty of horsepower to spare to deal with these attacks. The 5516 would be pegged out if it got smashed with that much attack traffic.
https://apps.cisco.com/ccw/cpc/guest/content/ucsSeriesDetails/series_asa5500
05-12-2016 10:37 PM
If you get hit with 10Gb/s of traffic and you have a 1Gb/s pipe nothing you can do on your end will make any difference. You would need help on the service provider side of the pipe to address it.
I don't believe a 2911 has sufficient CPU punch to process TCP intercepts at 1Gb/s - or even get slightly close. So yes, I think the CPU will well and truly peg out.
So in short, I agree with all your thoughts.
I would be looking at a Cisco ASA 5516 Firepower bundle, with some Firepower licences. Actually, maybe you should just jump directly to the 5555 Firepower bundle so you have plenty of horsepower to spare to deal with these attacks. The 5516 would be pegged out if it got smashed with that much attack traffic.
https://apps.cisco.com/ccw/cpc/guest/content/ucsSeriesDetails/series_asa5500
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide