1. Home
  2. Cisco Systems
  3. DOS protection

DOS protection

I'm researching products that will help prevent or mitigate a DOS attack at a provider edge, which in this case, consists of two 7206s. We've seen cpu use peak out, cpu tracebacks, reboots, etc occur under what appear to be DOS type storms. We're in the process of implementing Net Flow Accounting and hope to upgrade to G1 cpus, but, are still interested in what solutions exist that might mitigate the effects of a DOS attack on router resources if not bandwidth.

I've looked at the CISCO GUARD XT 5650 and CISCO TRAFFIC ANOMALY DETECTOR XT 5600 solution which appears to use net flow info to determine abnormal traffic patterns and then quarantines offendin traffic. This solution would run in the 50-100K range.

What other cisco or dare I suggest, non-cisco products might I want to look at. The cheaper the better.

Reply to
lfnetworking
Loading thread data ...

On 18.01.2006 20:30 lfnetworking wrote

You may want to have a look at

formatting link
as well

Arnold

Reply to
Arnold Nipper

Have you tried using rate limiting ACLs on the routers. I have seen cisco documentation on this, but havent heard from anyone who actually applied this on networks undergoing attack. I would like to hear your opinion on such ACLs.

Try this link

formatting link

Reply to
luqs

Interesting you should mention this as I just finished reading this doc on CPP (Control Plane Policing). I'd like to give this a try.

formatting link

Reply to
lfnetworking

Hi,

I wouldn't normally respond to postings such as yours, but you did ask a direct question about DDoS mitigation. If you feel my response is inappropriate, please accept my apologies and ignore the message below.

I work for Prolexic dot com, the world's largest DDoS mitigation company. Only last month, we gained a new client who was receiving a

10Gb attack - their past provider could not help them, but we did. We also recently performed a DDoS Vulnerability Assessment for a global bank who were using the Arbor/Cisco solution. We managed to compromise this system quite easily. We are now designing an Arbor interface, so that the Arbor can be used to BGP traffic to our service instead of the Cisco Guard.

If you would like further information, please visit our web site, or contact me on aross at prolexic dot com.

Andrew

Reply to
andrewacross

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.