Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Ryan McMahon about DDOS prevention using the guard modules. You can ask questions on how to stop distributed-denial-of-service (DDoS) attacks with the Cisco guard. Ryan is an engineer in the Network Solution Integration & Test Engineering (NSITE) group based in Research Triangle Park, NC where he is a lead on Cisco?s distributed denial-of-service (DDoS) solution. He has over eight years of experience with IP networks and various IP security solutions. He has extensively contributed to the design and deployment of various big Service Provider networks.
Remember to use the rating system to let Ryan know if you have received an adequate response.
Ryan might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through August 11, 2006. Visit this forum often to view responses to your questions and the questions of other community members.
hi ryan good to have such a interesting topic in the forum. so for DDOS prevention i think we can filter almost most of them on perimeter routers and firewalls.and even cisco ips. then what id cisco guard product. and how it is different in blocking DDOS than cisco routers and firewalls. see ya
Routers ACLs are a proven way to block specific flows on the perimeter routers of your network. Often these ACLs block RFC 1918 and sources using your address space. The firewalls often perform there function further back in the network. The sooner the packet is dropped the less impact on your servers and links.
In a DDOS packets come from all over the internet that can be spoofed or not spoofed. It is difficult to differentiate between valid users and those who are malicious. This is where the Cisco Guard comes in. The Guard can differentiate between valid sources and malicious sources. The Guard then cleans the traffic by removing the malicious flows and sending good flows to the servers. The Guard builds baselines of what traffic looks like during a regular day and can compare it to conditions during a DDOS. Many enterprises and service providers use the Cisco Guard.
Maybe i am missing something here, but i still dont understand why devices like IDS/IPS cant block such DDoS attacks..
There are situation were the IDS/IPS can block an attack. Most IPSs are signature based with some anomaly detection features. A solid DDOS attack makes it very difficult to make a signature from in many cases. If a signature can be made the Guard can extract a signature.
To differentiate between good and bad sources the guard actively challenges the packets it receives at a source level. It waits for the appropriate response from the source. This occurs at both the transport level like in TCP and application level in SIP, HTTP, and DNS. The guard maintains verified sources list and traffic characteristics at a peacefully base line.
On a side note, the guard is generally not applied inline or in the data path. During a DDOS, traffic is diverted to the Guard. The guard scrubs the traffic and then injects/returns it o the normal data path. Common injection methods are GRE/L2/MPLS/MPLS VPNs. In some large deployments we see clusters of Guards deployed to form cleaning centers.
IPS and Firewalls are deployed inline and perform there function well. Guards are deployed to clean an attack in many cases before the Firewalls and IPSs. Firewalls maintain lots of state and could be vulnerable to a DDOS attack themselves.
Hello. I am looking for an expert to hopefully answer a few questions i have about VACLs. Can you point me to the right Q&A or expert?
Here is the documentation on CCO. You probably already have it.
I don't see a question. Maybe a general switching list may be more appropriate. VACLs can be used for many things. VACls are you know can be used to drop or capture traffic.
hi i am trying to implement a simple CBWFQ on cisco 3600 and the bandwidth allocation does not work, the 2 sources i use to generate udp traffic towards one source get eaqual share of the bandwidht, the policy maps fail i guess but i think there is nuthin wrong with it ... im pasting the config. below please let me know if somthin is wrong
class-map match-all u4p5041
match access-group 143
class-map match-all u3p5031
match access-group 133
access-list 143 permit udp host 192.168.4.100 host 192.168.1.100 eq 5041
access-list 143 deny udp any any
access-list 133 permit udp host 192.168.3.100 host 192.168.1.100 eq 5031
access-list 133 deny udp any any
Lets try to keep the topics about DDOS ;)
I don't have lots of info on your post. Did you add the service policy to the interface? Is there sufficient traffic to lead to congestion on the interface?? If there is not enough traffic, the packet will go directly on the transmit queue instead of the hold queue. This may sound obvious but it is easy overlooked in a lab setup.
show policy-map utestudp5 and show policy int.
done all that and sorry about pasting messages in the wrong forum... but it is overloaded and .. on the right interface is there anythin wrong with the configuration is posted?