DoS attack to Null routed IP's

Discussion in 'Cisco' started by Jim, Jul 4, 2005.

  1. Jim

    Jim Guest

    Hi,

    I have recently had a problems where one or more of our routers became very
    slow to respond before all the OSPF sessions timed out, and I think it may of been due
    to a DoS attack as an increase in the PPS was seen just before this occcured.

    It seems that the router worst hit is always the router that is Null routing traffic for
    any IP's not currently connected or in use. Could this be a general ICMP attack?
    Whats the best method to Null route IP's not in use without it causing an issue
    for the router when under attack?

    When we had this issue I saw an increase in PPS incoming but not a noticable increase
    in traffic, so would ratelimiting ICMP traffic inbound (if thats what caused the issue)
    help if its a small ammount of traffic, but lots of small packets?

    I would appreciate any pointers on securing against DoS, or easy ways to identify
    what is causing the issue. Routers in question are 7200 & 7600.

    Many thanks.

    Jim.
    Jim, Jul 4, 2005
    #1
    1. Advertising

  2. Jim

    Anthony Guest

    It depends a lot on the type of traffic being past through during the
    DoS. How are you so certain that it is ICMP traffic that is causing the
    issue? How often is this happening?

    I would like to see the following information from the router when the
    cpu is high.

    1. show tech
    2. show ip traffic (3 times in a few mins)
    3. show interface | inc rate | line
    4. show interface switching

    On the 7600, with the SUP720 we can actually span the SUP to see what
    is being punted to the MSFC.

    Is this attack causing process-switching of traffic, i.e you see high
    CPU and the process with most utilization is IP Input.

    Please contact me directly and we can discuss this a little more.

    Anthony
    Anthony, Jul 4, 2005
    #2
    1. Advertising

  3. Jim

    Matt Guest

    int null0
    no ip unreachables


    Matt.

    Jim wrote:
    > Hi,
    >
    > I have recently had a problems where one or more of our routers became very
    > slow to respond before all the OSPF sessions timed out, and I think it may of been due
    > to a DoS attack as an increase in the PPS was seen just before this occcured.
    >
    > It seems that the router worst hit is always the router that is Null routing traffic for
    > any IP's not currently connected or in use. Could this be a general ICMP attack?
    > Whats the best method to Null route IP's not in use without it causing an issue
    > for the router when under attack?
    >
    > When we had this issue I saw an increase in PPS incoming but not a noticable increase
    > in traffic, so would ratelimiting ICMP traffic inbound (if thats what caused the issue)
    > help if its a small ammount of traffic, but lots of small packets?
    >
    > I would appreciate any pointers on securing against DoS, or easy ways to identify
    > what is causing the issue. Routers in question are 7200 & 7600.
    >
    > Many thanks.
    >
    > Jim.
    Matt, Jul 4, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim J. Dunn
    Replies:
    2
    Views:
    891
    reshman
    Nov 5, 2003
  2. SingSong

    DOS Attack

    SingSong, Dec 12, 2003, in forum: Cisco
    Replies:
    3
    Views:
    675
    Bob by The Bay
    Dec 13, 2003
  3. Gary
    Replies:
    4
    Views:
    3,330
  4. hari
    Replies:
    0
    Views:
    591
  5. dorothy.bradbury
    Replies:
    15
    Views:
    1,011
    dorothy.bradbury
    Jul 21, 2003
Loading...

Share This Page