More on DDOS attacks
From Cisco, for any one who hasn't seen it already.
Title: Distributed Denial of Service (DDoS) News Flash URL: http://www.cisco.com/warp/public/707/newsflash.html Posted: February 9, 2000 Summary: This Security Advisory talks about Distributed Denial of Service (DDoS). More specificvally, it will help you: 1) Recognize programs used to facilitate DDoS attacks 2) Apply measures to prevent the attacks 3) Gather forensic information if you suspect an attack 4) Learn more about host security I have recently had the opportunity to try the "ip verify unicast reverse-path" command in a lab environment, it works with CEF on Cisco IOS 12.0. It seems relatively effective with about a 30% increase in distributed CPU utilisation (ie. 10% becomes 13%, not 40%). We had every packet flooding an interface with bogus source addresses, it happily discarded them all. And yes, it even forwarded the packets with valid source addresses ;-) It seems best suited to run at the edge of the network in from your downstream customers. There is no point running it on links in from upstream providers in most cases. We also lab tested Turbo Access-Lists, and found them very effective on long access-lists, the worst case the CPU increased loading on a VIP by about 40%, as opposed to a 200 entry non-Turbo Access-list which increased distributed CPU utilisation by as much as 95%. Arron Scott Telecom NZ --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Arron Scott wrote:
I have recently had the opportunity to try the "ip verify unicast reverse-path" command in a lab environment, it works with CEF on Cisco IOS 12.0. It seems relatively effective with about a 30% increase in distributed CPU utilisation (ie. 10% becomes 13%, not 40%). We had every packet flooding an interface with bogus source addresses, it happily discarded them all. And yes, it even forwarded the packets with valid source addresses ;-)
And we were running with it on earlier versions of 12 and it broke after a week.... and it was the breaking after a week that was the problem.... YMMV. Cheers -- Sid --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
What broke ? Arron
-----Original Message----- From: sjones(a)netlink.net.nz [mailto:sjones(a)netlink.net.nz]On Behalf Of Sid Jones Sent: Monday, February 21, 2000 17:16 To: Arron Scott Cc: nznog(a)list.waikato.ac.nz Subject: Re: More on DDOS attacks
Arron Scott wrote:
I have recently had the opportunity to try the "ip verify unicast reverse-path" command in a lab environment, it works with CEF on Cisco IOS 12.0. It seems relatively effective with about a 30% increase in distributed CPU utilisation (ie. 10% becomes 13%, not 40%). We had every packet flooding an interface with bogus source addresses, it happily discarded them all. And yes, it even forwarded the packets with valid source addresses ;-)
And we were running with it on earlier versions of 12 and it broke after a week.... and it was the breaking after a week that was the problem.... YMMV.
Cheers
-- Sid
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Mon, 21 Feb 2000, Arron Scott wrote:
What broke ?
It was shall we say "a little aggressive" in what it thought was allowed to move up and down the interfaces where it was configured. Routing started failing, more routes ceased to function the longer the function was turned on, we turned it off and routing was restored.
From memory we trialled it with something like 12.0.2a(T) on 3640's that also needed to be reliably running ISDN and NetFlow (it worked out to be a case of choose any 2).
I've been meaning to have another try with a newer version of 12 (especially as 12 has gone GD) so your experience is only going to encourage me, can I ask what version of IOS and on what platform you lab setup was using? I'd concur with what you saw with the CPU increase as well, minimal. Cheers -- Sid --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
I've been meaning to have another try with a newer version of 12 (especially as 12 has gone GD) so your experience is only going to encourage me, can I ask what version of IOS and on what platform you lab setup was using?
You might want to try the S-branch. This is targeted towards ISPs and service providers with stability (not features) in mind. That's not to say it is very stable, the last I tried 12.0.7(S) was pretty horrible. I have '9 down but not tested yet. -cw -- Chris Wedgwood chris.wedgwood(a)clear.co.nz --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Chris Wedgwood wrote:
That's not to say it is very stable, the last I tried 12.0.7(S) was pretty horrible. I have '9 down but not tested yet.
Ditto. I still wondering why Aaron won't tell us the platform ;) Cheers -- Sid --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Ditto. I still wondering why Aaron won't tell us the platform ;)
FWIW, I've tested in on 7500 series and I honestly couldn't recommend it yet. Some nice features in 12, but still very buggy. -cw -- Chris Wedgwood chris.wedgwood(a)clear.co.nz --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (4)
-
Arron Scott -
Chris Wedgwood -
Sid Jones -
Sid Jones