Showing results for 
Search instead for 
Did you mean: 

Basic protection from DDoS attack


There are published materials from many organizations, groups, and individuals that provide guides on how to protect a network from DDoS attack. Consolidating all these materials will give a network a fighting chance against DDoS attack.

The sample configurations are for network with ASN, IPv4 Netblock, and IPv6 Netblock from RIRs and receive full BGP route with no default route.

Table 1 - Consolidated published materials for protection from DDoS attack

ICMP FloodLayer 3CARYesYes
Multicast FloodLayer 3CARYesYes
Non-Initial ICMP Fragments FloodLayer 3ACLYesNA
Non-Initial IP Fragments FloodLayer 3ACLYesYes
ICMP TypesLayer 3CAR + ACLYesYes
UDP FloodLayer 4CARYesYes
Non-Initial TCP Fragments FloodLayer 4ACLYesNA
Non-Initial UDP Fragments FloodLayer 4ACLYesNA
SQL SLammerLayer 7ACLYesYes
IP Spoofing - Your NetblockLayer 3, 4, and 7ACLYesYes
IP Spoofing - BogonsLayer 3, 4, and 7ACLYesYes
IP Spoofing - FullbogonsLayer 3, 4, and 7Bogons Route Server + uRPF Loose Mode + BGP + RTBHYesYes
Spamhaus DROP, eDROP, and Botnet C&C ListsLayer 3, 4, and 7Spamhaus BGP Feed Server + uRPF Loose Mode + BGP + RTBHYes-
Source / Destination not in Border Routers Routing TableLayer 3, 4, and 7ACL + uRPF Loose Mode + BGP + Full BGP RouteYesYes
Source / Destination Black Holed (Manual)Layer 3, 4, and 7uRPF Loose + BGP + RTBHYesYes

Figure 1 - Implementation diagram


CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey

This widget could not be displayed.