Showing results for 
Search instead for 
Did you mean: 

DDoS Mitigation on the Cat 6500 with Sup720

Matthew burnley
Level 1
Level 1

Hello Everyone,

I am doing abit of research into mitigating DDOS attacks when using the 6500 switch with a Sup720 3BXL supervisor card as a core router.  I would assume this can only be answered by experienced networks engineers who have worked with these switches but maybe i'm wrong.

Anyways we have had problems with the above platform and found a 5GBPS DDOS attack caused havoc with the 6500, it was major service affecting to everyone inside the network, i was not there when the DDOS hit but it sounds like it must have saturated the route processor or something.  So i have been reading up on the 6500+sups and see they are suppose to be quite resilient to DDOS if configured correctly.

[b]1)[/b] Using the control plane policy rate limit, the example is in bold below.

[b]"The following is a configuration example of CoPP for the reporting class of traffic such as ICMP. It is first essential to use the "mls qos" CLI to allow hardware CoPP DoS mitigation. 
Access-list and class-maps should then be defined to match the ICMP traffic. The following CoPP policy-map limits reporting traffic to 100 Kbps.
After the policy-map is applied to the control-plane interface with the service-policy input command, ICMP traffic to the route processor is limited to 100 Kbps in hardware.

Router(config)# mls qos 

Router(config)# access-list 101 permit icmp any any 

Router(config)# class-map reporting 
Router(config-cmap)# match access-group 101 

Router(config)# policy-map control-plane-policy 
Router(config-pmap)# class reporting 
Router(config-pmap-c)# police 100000 conform-action transmit exceed-action drop 

Router(config)# control-plane 
Router(config-cp)# service-policy input control-plane-policy"[/b]

This seems like it would work but for only ICMP traffic, can anyone explain how effective this method is or comment on the advantages/disadvantages of implementing it?

Another way could be implementing an ACL on an ingress port that the DDOS is entering the network on, i believe somebody tried this and found the DDOS was too large and spilt the processing out of the hardware and into the software and saturated the route processor, the fix to this was implement the following command which apparently dropped all packets that overflowed out of the hardware processing (replying to ICMP) and protected the CPU?

[b][/b]mls rate-limit unicast ip icmp unreachable acl-drop 0

access-list 101 remark DOS Attack blocker 
> access-list 101 deny udp any host 
  access-list 101 deny ip any host fragments
> access-list 101 permit ip any any 

> ip access-group 101 in
   no ip unreachables[b][/b]

The ACL in this example was to filter UDP traffic not ICMP from what i can tell and also has a fragment filter that drops all fragmented packets protecting the router CPU from having to reassemble the packets?  I also hear that you NEED to implement the IP unreachable s command on the interface for this to be effective also?  Anyone know why?

Can anyone expand on what i have so far or comment on effectiveness of these mitigation techniques or anything that may be missing/wrong?  I don't have a great understanding of the architecture of the 6500 yet although i have read up quite abit, i just find it confusing in parts.

Hopefully we will get some interesting answers!


1 Reply 1

Leo Laohoo
Hall of Fame
Hall of Fame

It will depend on your network topology.  


DDoS comes in various size and shapes.  If you have ample IPS/IDS/FW you will be able to stop or mitigate a significant portion of any DDoS directed from the outside.  


The biggest threat to corporate network nowadays is a set of recently discovered DDoS tools that any person, without any knowledge of scripting, can use that can bring any network down in a matter of minutes.  I am talking about the "terrible twins":  Low Orbit(al) Ion Cannon (LOIC) and High Orbit(al) Ion Cannon (HIOC).



Both softwares are freely available over the net and, currently, nothing can truely mitigate HIOC.  There are advisories on stopping LOIC but HIOC is truly the "King Kong" of them all.   One of the temporary way of slowing down (not stopping) an HOIC attack is to cooperate/coordinate with your ISP upstream and ask them to throttle any HTTP/HTTPS traffic down to, for example, 512 kbps connection.  This will alleviate any sustained attack from multiple sources.  

Review Cisco Networking for a $25 gift card