Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ASK THE EXPERT - DDOS PREVENTION USING THE GUARD MODULES

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Ryan McMahon about DDOS prevention using the guard modules. You can ask questions on how to stop distributed-denial-of-service (DDoS) attacks with the Cisco guard. Ryan is an engineer in the Network Solution Integration & Test Engineering (NSITE) group based in Research Triangle Park, NC where he is a lead on Cisco?s distributed denial-of-service (DDoS) solution. He has over eight years of experience with IP networks and various IP security solutions. He has extensively contributed to the design and deployment of various big Service Provider networks.

Remember to use the rating system to let Ryan know if you have received an adequate response.

Ryan might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through August 11, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

  • Expert Corner
23 REPLIES
New Member

Re: ASK THE EXPERT - DDOS PREVENTION USING THE GUARD MODULES

hi ryan good to have such a interesting topic in the forum. so for DDOS prevention i think we can filter almost most of them on perimeter routers and firewalls.and even cisco ips. then what id cisco guard product. and how it is different in blocking DDOS than cisco routers and firewalls. see ya

regards

sebastan

Cisco Employee

Re: ASK THE EXPERT - DDOS PREVENTION USING THE GUARD MODULES

Routers ACLs are a proven way to block specific flows on the perimeter routers of your network. Often these ACLs block RFC 1918 and sources using your address space. The firewalls often perform there function further back in the network. The sooner the packet is dropped the less impact on your servers and links.

In a DDOS packets come from all over the internet that can be spoofed or not spoofed. It is difficult to differentiate between valid users and those who are malicious. This is where the Cisco Guard comes in. The Guard can differentiate between valid sources and malicious sources. The Guard then cleans the traffic by removing the malicious flows and sending good flows to the servers. The Guard builds baselines of what traffic looks like during a regular day and can compare it to conditions during a DDOS. Many enterprises and service providers use the Cisco Guard.

http://www.cisco.com/en/US/partner/products/ps6235/index.html

New Member

Re: ASK THE EXPERT - DDOS PREVENTION USING THE GUARD MODULES

Maybe i am missing something here, but i still dont understand why devices like IDS/IPS cant block such DDoS attacks..

Cisco Employee

Re: ASK THE EXPERT - DDOS PREVENTION USING THE GUARD MODULES

There are situation were the IDS/IPS can block an attack. Most IPSs are signature based with some anomaly detection features. A solid DDOS attack makes it very difficult to make a signature from in many cases. If a signature can be made the Guard can extract a signature.

To differentiate between good and bad sources the guard actively challenges the packets it receives at a source level. It waits for the appropriate response from the source. This occurs at both the transport level like in TCP and application level in SIP, HTTP, and DNS. The guard maintains verified sources list and traffic characteristics at a peacefully base line.

On a side note, the guard is generally not applied inline or in the data path. During a DDOS, traffic is diverted to the Guard. The guard scrubs the traffic and then injects/returns it o the normal data path. Common injection methods are GRE/L2/MPLS/MPLS VPNs. In some large deployments we see clusters of Guards deployed to form cleaning centers.

IPS and Firewalls are deployed inline and perform there function well. Guards are deployed to clean an attack in many cases before the Firewalls and IPSs. Firewalls maintain lots of state and could be vulnerable to a DDOS attack themselves.

New Member

Re: ASK THE EXPERT - DDOS PREVENTION USING THE GUARD MODULES

Ryan,

Hello. I am looking for an expert to hopefully answer a few questions i have about VACLs. Can you point me to the right Q&A or expert?

Thank You,

Adam LaBorde

Cisco Employee

Re: ASK THE EXPERT - DDOS PREVENTION USING THE GUARD MODULES

Here is the documentation on CCO. You probably already have it.

http://www.cisco.com/en/US/customer/products/hw/routers/ps368/products_configuration_guide_chapter09186a008069a3c8.html

I don't see a question. Maybe a general switching list may be more appropriate. VACLs can be used for many things. VACls are you know can be used to drop or capture traffic.

New Member

Re: ASK THE EXPERT - DDOS PREVENTION USING THE GUARD MODULES

hi i am trying to implement a simple CBWFQ on cisco 3600 and the bandwidth allocation does not work, the 2 sources i use to generate udp traffic towards one source get eaqual share of the bandwidht, the policy maps fail i guess but i think there is nuthin wrong with it ... im pasting the config. below please let me know if somthin is wrong

policy-map utestudp5

class u3p5031

bandwidth 6000

queue-limit 10

class u4p5041

bandwidth 1500

queue-limit 10

class-map match-all u4p5041

match access-group 143

class-map match-all u3p5031

match access-group 133

access-list 143 permit udp host 192.168.4.100 host 192.168.1.100 eq 5041

access-list 143 deny udp any any

access-list 133 permit udp host 192.168.3.100 host 192.168.1.100 eq 5031

access-list 133 deny udp any any

Regards

Cisco Employee

Re: ASK THE EXPERT - DDOS PREVENTION USING THE GUARD MODULES

Lets try to keep the topics about DDOS ;)

I don't have lots of info on your post. Did you add the service policy to the interface? Is there sufficient traffic to lead to congestion on the interface?? If there is not enough traffic, the packet will go directly on the transmit queue instead of the hold queue. This may sound obvious but it is easy overlooked in a lab setup.

Use

show policy-map utestudp5 and show policy int.

New Member

Re: ASK THE EXPERT - DDOS PREVENTION USING THE GUARD MODULES

done all that and sorry about pasting messages in the wrong forum... but it is overloaded and .. on the right interface is there anythin wrong with the configuration is posted?

125
Views
0
Helpful
23
Replies