DOS protection

Discussion in 'Cisco' started by lfnetworking, Jan 18, 2006.

  1. lfnetworking

    lfnetworking Guest

    I'm researching products that will help prevent or mitigate a DOS attack
    at a provider edge, which in this case, consists of two 7206s. We've
    seen cpu use peak out, cpu tracebacks, reboots, etc occur under what
    appear to be DOS type storms. We're in the process of implementing Net
    Flow Accounting and hope to upgrade to G1 cpus, but, are still
    interested in what solutions exist that might mitigate the effects of a
    DOS attack on router resources if not bandwidth.

    I've looked at the CISCO GUARD XT 5650 and CISCO TRAFFIC ANOMALY
    DETECTOR XT 5600 solution which appears to use net flow info to
    determine abnormal traffic patterns and then quarantines offendin
    traffic. This solution would run in the 50-100K range.

    What other cisco or dare I suggest, non-cisco products might I want to
    look at. The cheaper the better.
    lfnetworking, Jan 18, 2006
    #1
    1. Advertising

  2. On 18.01.2006 20:30 lfnetworking wrote

    > I'm researching products that will help prevent or mitigate a DOS attack
    > at a provider edge, which in this case, consists of two 7206s. We've
    > seen cpu use peak out, cpu tracebacks, reboots, etc occur under what
    > appear to be DOS type storms. We're in the process of implementing Net
    > Flow Accounting and hope to upgrade to G1 cpus, but, are still
    > interested in what solutions exist that might mitigate the effects of a
    > DOS attack on router resources if not bandwidth.
    >
    > I've looked at the CISCO GUARD XT 5650 and CISCO TRAFFIC ANOMALY
    > DETECTOR XT 5600 solution which appears to use net flow info to
    > determine abnormal traffic patterns and then quarantines offendin
    > traffic. This solution would run in the 50-100K range.
    >
    > What other cisco or dare I suggest, non-cisco products might I want to
    > look at. The cheaper the better.


    You may want to have a look at http://www.ddos-guard.com/ as well


    Arnold
    --
    Arnold Nipper, AN45
    Arnold Nipper, Jan 18, 2006
    #2
    1. Advertising

  3. lfnetworking

    luqs Guest

    Have you tried using rate limiting ACLs on the routers.
    I have seen cisco documentation on this, but havent heard from anyone
    who actually applied this on networks undergoing attack. I would like
    to hear your opinion on such ACLs.

    Try this link

    http://www.cymru.com/Documents/index.html
    luqs, Jan 18, 2006
    #3
  4. lfnetworking

    lfnetworking Guest

    luqs wrote:
    > Have you tried using rate limiting ACLs on the routers.
    > I have seen cisco documentation on this, but havent heard from anyone
    > who actually applied this on networks undergoing attack. I would like
    > to hear your opinion on such ACLs.
    >
    > Try this link
    >
    > http://www.cymru.com/Documents/index.html
    >

    Interesting you should mention this as I just finished reading this doc
    on CPP (Control Plane Policing). I'd like to give this a try.

    http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_paper09186a0080211f39.shtml
    lfnetworking, Jan 18, 2006
    #4
  5. lfnetworking

    Guest

    Hi,

    I wouldn't normally respond to postings such as yours, but you did ask
    a direct question about DDoS mitigation. If you feel my response is
    inappropriate, please accept my apologies and ignore the message below.

    I work for Prolexic dot com, the world's largest DDoS mitigation
    company. Only last month, we gained a new client who was receiving a
    10Gb attack - their past provider could not help them, but we did. We
    also recently performed a DDoS Vulnerability Assessment for a global
    bank who were using the Arbor/Cisco solution. We managed to compromise
    this system quite easily. We are now designing an Arbor interface, so
    that the Arbor can be used to BGP traffic to our service instead of the
    Cisco Guard.

    If you would like further information, please visit our web site, or
    contact me on aross at prolexic dot com.

    Andrew
    , Jan 19, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Pawel Jawien

    Strong private key protection and 802.11x

    Pawel Jawien, Jul 8, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    1,080
    Pawel Jawien
    Jul 8, 2004
  2. geepeetee

    shared connection protection

    geepeetee, Apr 19, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    462
    Malke
    Apr 19, 2005
  3. Gabriel South

    Wireless protection...

    Gabriel South, Jun 29, 2005, in forum: Wireless Networking
    Replies:
    2
    Views:
    459
    Jack \(MVP\)
    Jun 30, 2005
  4. Don
    Replies:
    5
    Views:
    2,047
    °Mike°
    Feb 11, 2004
  5. Igor Mamuziæ

    IOS DoS defense causes DoS to itself:)

    Igor Mamuziæ, May 12, 2006, in forum: Cisco
    Replies:
    2
    Views:
    535
    Igor Mamuzic
    May 20, 2006
Loading...

Share This Page