I have recently had a problems where one or more of our routers became very slow to respond before all the OSPF sessions timed out, and I think it may of been due to a DoS attack as an increase in the PPS was seen just before this occcured.
It seems that the router worst hit is always the router that is Null routing traffic for any IP's not currently connected or in use. Could this be a general ICMP attack? Whats the best method to Null route IP's not in use without it causing an issue for the router when under attack?
When we had this issue I saw an increase in PPS incoming but not a noticable increase in traffic, so would ratelimiting ICMP traffic inbound (if thats what caused the issue) help if its a small ammount of traffic, but lots of small packets?
I would appreciate any pointers on securing against DoS, or easy ways to identify what is causing the issue. Routers in question are 7200 & 7600.