Solved: Re: protect Internet from attack

Steev112 · ‎09-18-2013

Hello,

i have small router 2911 connected the main internet router GSR this GSR has peering with ISPs , there is default route on 2911 send to GSR and all user connect on 2911 will go from 2911 to GSR, i had attack ddos attack on 2911 my question how can protect 2911 from this kind of attack, i have some queries if you can help me:

1. what is the access-list need to configure to protect the router 2911.for example ICMP, HTTP.......

2. what is the COOP configuration to allow us to able to access this router when attack and CPU high.

3. i heard ASR and 7200 has some feature to protect these router from ddos attack, is helpful for all kind of dedos attack

thanks in advanced.

Lei Tian · ‎09-20-2013

Hi,

CoPP will rate limit the control plane traffic, and make sure CPU will not go high. So if the attack is targeting to router itself, CoPP can help. Compare to ISR platform, ASR1K supports CoPP in hardware, so it will perform better when the router itself is under attack.

If you know the profile of the attack, then yes, an ACL can block the attack. However, DDoS attack is normally legitimate traffic which you cannot block until it happens.

There are tool that can be used to detect and protect from DDoS attack, like uRPF, Netflow which you can find from the following link.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap7.html

HTH,

Lei Tian

View solution in original post

Lei Tian · ‎09-18-2013

Hi,

Unless the attack is targeting your router, copp won't help much. Copp protects the router CPU by rate limiting the processed switched packet; control traffic and traffic that targets to router itself are process switched. Normal cef switched packets are not. If the attack is targeting your public facing server, copp on router cannt do anything. Sometime the provider can help you detect abnormal traffic during DDOS attack, and drop the attack traffic on their end. On your end, to protect yourself from DDOS, you need some device that can detect the abnormal traffic, and drop the traffic or redirect the traffic to scrub process. You can also consider some vender that offers scrub services, like Prolexic.

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

sean_evershed · ‎09-18-2013

You could configure a Zone Based Firewall on your router to improve security. See below a config guide:

https://supportforums.cisco.com/docs/DOC-27487

Steev112 · ‎09-20-2013

Hello Lei,

Thank you for relay, but if i use COPP i can able to access the router by using telnet even the CPU is high am i right?

1. can i use ASR1000 instead of 2911 to protect from DDOS attack as i read on document?

2. if i apply an access-lsit to minize the number of ICMP or UDP if useful or not becuase that attack was UDP Streaming

Thanks in advanced

Lei Tian · ‎09-20-2013

Hi,

CoPP will rate limit the control plane traffic, and make sure CPU will not go high. So if the attack is targeting to router itself, CoPP can help. Compare to ISR platform, ASR1K supports CoPP in hardware, so it will perform better when the router itself is under attack.

If you know the profile of the attack, then yes, an ACL can block the attack. However, DDoS attack is normally legitimate traffic which you cannot block until it happens.

There are tool that can be used to detect and protect from DDoS attack, like uRPF, Netflow which you can find from the following link.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap7.html

HTH,

Lei Tian

Joseph W. Doherty · ‎09-21-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

It's impossible to block all DDoS attacks, because such attacks "look" legitimate. What gives them away would be some "volume" higher than expected and/or they don't follow the expectations for whatever they are doing.

Your first line of defense it to block all access to the router, itself, and only permit such access that's absolutely required (and expected).

For example, on an Internet connected router, you might have an ingress ACL that blocks all traffic to the Internet facing interface's IP. (This doesn't block traffic transiting that interface.)

If, though, you wanted to allow remote device access using that interface's IP, then you would have ACLs that perhaps limit what the ingress packet's source IP might be. You might also disable source-routing and use reverse path verification. If the device supports it, you might also enable the timer on half open TCP connections.

Cisco has some great documentation for "hardening" their routers, and in some of their later IOS images, they even support an "autosecure" command feature.

On their smaller platforms their simple GUI configuation tools often supported a security audit against your device, often with an option to enable specific security recommendations.

Steev112 · ‎09-27-2013

Thanks Lei and Joseph for assistant