Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

protect Internet from attack

                   Hello,

i have small router 2911 connected the main internet router GSR this GSR has peering with ISPs , there is default route on 2911 send to GSR and all user connect on 2911 will go from 2911 to GSR, i had attack ddos attack on 2911 my question how can protect 2911 from this kind of attack, i have some queries if you can help me:

1. what is the access-list need to configure to protect the router 2911.for example ICMP, HTTP.......

2. what is the COOP configuration to allow us to able to access this router when attack and CPU high.

3. i heard ASR and 7200 has some feature to protect these router from ddos attack, is helpful for all kind of dedos attack

thanks in advanced.

  • WAN Routing and Switching
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: protect Internet from attack

Hi,

CoPP will rate limit the control plane traffic, and make sure CPU will not go high. So if the attack is targeting to router itself, CoPP can help. Compare to ISR platform, ASR1K supports CoPP in hardware, so it will perform better when the router itself is under attack.

If you know the profile of the attack, then yes, an ACL can block the attack. However, DDoS attack is normally legitimate traffic which you cannot block until it happens.

There are tool that can be used to detect and protect from DDoS attack, like uRPF, Netflow which you can find from the following link.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap7.html

HTH,

Lei Tian

6 REPLIES
Cisco Employee

Re: protect Internet from attack

Hi,

Unless the attack is targeting your router, copp won't help much. Copp protects the router CPU by rate limiting the processed switched packet; control traffic and traffic that targets to router itself are process switched. Normal cef switched packets are not. If the attack is targeting your public facing server, copp on router cannt do anything. Sometime the provider can help you detect abnormal traffic during DDOS attack, and drop the attack traffic on their end. On your end, to protect yourself from DDOS, you need some device that can detect the abnormal traffic, and drop the traffic or redirect the traffic to scrub process. You can also consider some vender that offers scrub services, like Prolexic.

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

protect Internet from attack

You could configure a Zone Based Firewall on your router to improve security. See below a config guide:

https://supportforums.cisco.com/docs/DOC-27487

New Member

protect Internet from attack

Hello Lei,

Thank you for relay, but if i use COPP i can able to access the router by using telnet even the CPU is high am i right?

1. can i use ASR1000 instead of 2911 to protect from DDOS attack as i read on document?

2. if i apply an access-lsit to minize the number of ICMP or UDP if useful or not becuase that attack was UDP Streaming

Thanks in advanced

Cisco Employee

Re: protect Internet from attack

Hi,

CoPP will rate limit the control plane traffic, and make sure CPU will not go high. So if the attack is targeting to router itself, CoPP can help. Compare to ISR platform, ASR1K supports CoPP in hardware, so it will perform better when the router itself is under attack.

If you know the profile of the attack, then yes, an ACL can block the attack. However, DDoS attack is normally legitimate traffic which you cannot block until it happens.

There are tool that can be used to detect and protect from DDoS attack, like uRPF, Netflow which you can find from the following link.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap7.html

HTH,

Lei Tian

Super Bronze

Re: protect Internet from attack

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

It's impossible to block all DDoS attacks, because such attacks "look" legitimate.  What gives them away would be some "volume" higher than expected and/or they don't follow the expectations for whatever they are doing.

Your first line of defense it to block all access to the router, itself, and only permit such access that's absolutely required (and expected).

For example, on an Internet connected router, you might have an ingress ACL that blocks all traffic to the Internet facing interface's IP.  (This doesn't block traffic transiting that interface.)

If, though, you wanted to allow remote device access using that interface's IP, then you would have ACLs that perhaps limit what the ingress packet's source IP might be.  You might also disable source-routing and use reverse path verification.  If the device supports it, you might also enable the timer on half open TCP connections.

Cisco has some great documentation for "hardening" their routers, and in some of their later IOS images, they even support an "autosecure" command feature.

On their smaller platforms their simple GUI configuation tools often supported a security audit against your device, often with an option to enable specific security recommendations.

New Member

protect Internet from attack

Thanks Lei and Joseph for assistant

309
Views
10
Helpful
6
Replies
This widget could not be displayed.