I am doing abit of research into mitigating DDOS attacks when using the 6500 switch with a Sup720 3BXL supervisor card as a core router. I would assume this can only be answered by experienced networks engineers who have worked with these switches but maybe i'm wrong.
Anyways we have had problems with the above platform and found a 5GBPS DDOS attack caused havoc with the 6500, it was major service affecting to everyone inside the network, i was not there when the DDOS hit but it sounds like it must have saturated the route processor or something. So i have been reading up on the 6500+sups and see they are suppose to be quite resilient to DDOS if configured correctly.
[b]1)[/b] Using the control plane policy rate limit, the example is in bold below.
[b]"The following is a configuration example of CoPP for the reporting class of traffic such as ICMP. It is first essential to use the "mls qos" CLI to allow hardware CoPP DoS mitigation. Access-list and class-maps should then be defined to match the ICMP traffic. The following CoPP policy-map limits reporting traffic to 100 Kbps. After the policy-map is applied to the control-plane interface with the service-policy input command, ICMP traffic to the route processor is limited to 100 Kbps in hardware.
Router(config)# mls qos
Router(config)# access-list 101 permit icmp any any
Router(config)# class-map reporting Router(config-cmap)# match access-group 101
Router(config)# policy-map control-plane-policy Router(config-pmap)# class reporting Router(config-pmap-c)# police 100000 conform-action transmit exceed-action drop
This seems like it would work but for only ICMP traffic, can anyone explain how effective this method is or comment on the advantages/disadvantages of implementing it?
Another way could be implementing an ACL on an ingress port that the DDOS is entering the network on, i believe somebody tried this and found the DDOS was too large and spilt the processing out of the hardware and into the software and saturated the route processor, the fix to this was implement the following command which apparently dropped all packets that overflowed out of the hardware processing (replying to ICMP) and protected the CPU?
[b][/b]mls rate-limit unicast ip icmp unreachable acl-drop 0
access-list 101 remark DOS Attack blocker > access-list 101 deny udp any host 18.104.22.168 access-list 101 deny ip any host 22.214.171.124 fragments > access-list 101 permit ip any any > > ip access-group 101 in no ip unreachables[b][/b]
The ACL in this example was to filter UDP traffic not ICMP from what i can tell and also has a fragment filter that drops all fragmented packets protecting the router CPU from having to reassemble the packets? I also hear that you NEED to implement the IP unreachable s command on the interface for this to be effective also? Anyone know why?
Can anyone expand on what i have so far or comment on effectiveness of these mitigation techniques or anything that may be missing/wrong? I don't have a great understanding of the architecture of the 6500 yet although i have read up quite abit, i just find it confusing in parts.
DDoS comes in various size and shapes. If you have ample IPS/IDS/FW you will be able to stop or mitigate a significant portion of any DDoS directed from the outside.
The biggest threat to corporate network nowadays is a set of recently discovered DDoS tools that any person, without any knowledge of scripting, can use that can bring any network down in a matter of minutes. I am talking about the "terrible twins": Low Orbit(al) Ion Cannon (LOIC) and High Orbit(al) Ion Cannon (HIOC).
Both softwares are freely available over the net and, currently, nothing can truely mitigate HIOC. There are advisories on stopping LOIC but HIOC is truly the "King Kong" of them all. One of the temporary way of slowing down (not stopping) an HOIC attack is to cooperate/coordinate with your ISP upstream and ask them to throttle any HTTP/HTTPS traffic down to, for example, 512 kbps connection. This will alleviate any sustained attack from multiple sources.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.