DoS attack to Null routed IP's

Hi,

I have recently had a problems where one or more of our routers became very slow to respond before all the OSPF sessions timed out, and I think it may of been due to a DoS attack as an increase in the PPS was seen just before this occcured.

It seems that the router worst hit is always the router that is Null routing traffic for any IP's not currently connected or in use. Could this be a general ICMP attack? Whats the best method to Null route IP's not in use without it causing an issue for the router when under attack?

When we had this issue I saw an increase in PPS incoming but not a noticable increase in traffic, so would ratelimiting ICMP traffic inbound (if thats what caused the issue) help if its a small ammount of traffic, but lots of small packets?

I would appreciate any pointers on securing against DoS, or easy ways to identify what is causing the issue. Routers in question are 7200 & 7600.

Many thanks.

Jim.

Reply to
Jim
Loading thread data ...

It depends a lot on the type of traffic being past through during the DoS. How are you so certain that it is ICMP traffic that is causing the issue? How often is this happening?

I would like to see the following information from the router when the cpu is high.

  1. show tech
  2. show ip traffic (3 times in a few mins)
  3. show interface | inc rate | line
  4. show interface switching

On the 7600, with the SUP720 we can actually span the SUP to see what is being punted to the MSFC.

Is this attack causing process-switching of traffic, i.e you see high CPU and the process with most utilization is IP Input.

Please contact me directly and we can discuss this a little more.

Anthony snipped-for-privacy@cisco.com

Reply to
Anthony

int null0 no ip unreachables

Matt.

Jim wrote:

Reply to
Matt

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.