VRF Maximum Prefix Number or Control Routes from BGP peer?

maher · ‎12-30-2004

Hi there,

Just want to know, can we actually control our customers mpls/vpn from being attack by DoS? I found two methods that on Cisco presentation regarding this config:

!

ip vrf red

maximum routes 40 80

!

or

!

router bgp13

neighbor 140.0.250.2 maximum-prefix 45 80 restart 2

!

Which method is applicable and last long during the attacks?

thanks in advance.

maher

olorunloba · ‎12-31-2004

Note that the two methods above, protect the service provider router more than the customer's. This is becuse it control the amounts of routes the SP routers take into the vrf routing table. While the vrf applies to the whole VPN, the BGP form can be configured per customer link.

If you are thinking of DoS attacks on the customer router, with respect to many routing entries, then you could do some route filtering using things like distribute list (depending on your routing protocol).

maher · ‎12-31-2004

Hi there,

Thanks for the advise.Hmm..you are absolutely right.This method is towords protecting SP rather than customers...

thanks for the highlight.

maher

gurkang · ‎12-31-2004

hi,

trying to resolve this kind of attack with bgp makes it harder. because if prefixes increment, router break down the bgp peering. gets routes again,and it will pass the values again. this kind of configuration can consume router cpu. so it may stop the actual DoS but you make another DoS to yourselves. if you want to limit the prefixes, first way you defined may be used. But I would prefer to use distribute lists with neighbors.

regards,

Gurkan

maher · ‎12-31-2004

Hi there,

Thanks for the infomative inputs.I will have a look kat the distribute lists :)

regards,

maher