Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1001
Views
0
Helpful
2
Replies

DDOS mitigation tips and tricks

paul amaral
Level 4
Level 4

‎03-15-2019 07:24 AM

Recently one of our customer was a victim of a DDOS attack. Unfortunately this attack maxed out our uplink to the internet. This was DNS amplification attack with spoofed ip addresses.

At this particular location we use a cisco 6500, soon to be an ASR. When I first notice the attack my first thought was to use an ACL at the uplink interface but I soon realized that the cisco would not block packets with a SRC/DEST port of 0. I later concluded this was probably due to the packet being fragmented and missing the L4 header, I  did not sniff the packets so I’m guessing here.  

 

The ACL was really the only defense I had and it did no work. This attack on that particular customer was affecting traffic inbound to us from the internet and thus affecting all other customer that were not the intended victim. Fortunately we have fiber to other providers and I was able to setup another uplink with bgp and announced my customers /24  only through that link. This alleviated the primary uplink and caused the attack to come in on the newly installed link thus affecting only that particular customer. I then rate-limited the traffic leaving the 6500 to their VLAN via a metro-e link. This ofcourse only mitigated things, eventually we ended up changing my customers FW ip that was being attacked while they checked the inside of their network for Trojans/viruses etc.  

 

 

DDOS attacks is something we don’t deal with all the time and again to my surprise the ACL did nothing, the upstream, a national ISP, did not help us at all. This got me thinking what else could I have done, especially on the 6500. I know there a hardware limits on the 6500 but is that for traffic to the 6500 itself of traffic passing through it? I did use a rate-limit but this obviously only works once the traffic is already on the 6500 and the link that it used to get there is maxed out it does not stop the flood from reaching my WAN port.  I also looked at uRPF but again this only stops traffic once it reaches the WAN port and with  spoofed src addresses from the internet it does very little.  The link that worked for me the most was adding the second uplink and having the incoming packets come in through that link, helping out the other customers I had.

 

I would like to hear someone else’s experiences and what recommendations that have. This DDOS attack made me realize how a simple attack can cause havoc on your network and how its not easily stopped and only mitigated. 

 

Thanks, paul

Labels:
0 Helpful
2 Replies 2

Jaderson Pessoa
VIP Alumni
VIP Alumni

‎03-15-2019 07:33 AM

Hello,

 

To minimize it, you can disable icmp and have another link or others links with Loadbalance.

Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎03-15-2019 04:38 PM

@paul amaral wrote:

This got me thinking what else could I have done, especially on the 6500.

In my personal opinion, if the DDoS has hit your ISP-facing port it is "game over". 

Amplification attack can only be stopped at the ISP level because they can sniff out the bad traffic as it goes by (heading to you).  

0 Helpful
Customers Also Viewed These Support Documents