12-12-2016 12:47 AM
Hi all!
I want to match ipv4 packens by packet length on ASR 9000. Is it possible? I can't find this option in 5.3.4.
Solved! Go to Solution.
12-12-2016 10:47 AM
Hi,
Couple things,
FlowSpec is great for reactive DDoS mitigation as it allows you to enforce edge policies from a central point and it’s much more granular than classical RTBH.
However it has number of drawbacks that limit it’s deployment to reactive filtering.
1) Current implementations of FlowSpec do not allow you to specify interface for which the policy is intended so the box has to apply the policy to all interfaces. Yes you can disable FS per interface (I suggest you do so on core-facing interfaces) but all the remaining interfaces enabled for FS will install the filter and thus are subject to ~25% performance hit for all traffic passing through these interfaces (the performance hit is actually per NPU so if an NPU is hosting 3 10GE ports even if one of them is enabled for FlowSpec the other two ports are affected.
2) Order of individual FlowSpec filters/rules can not be dictated and it is determined automatically (most specific rules go first).
So FlowSpec has great potential especially when joined with IPS i.e. Intrusion Detection System generating flow spec rules to redirect specific traffic to scrubbing centre.
But for proactive DDoS protection (always-on rules) you are better off with conventional filtering methods (for now).
Regarding your deployment I’d also advise you to rate-limit rather than drop completely.
e.g even if the DNS/NTP packet is really big it might be legit, but if you encounter a stream of 1Gbps of such packets it’s time to rate-limit.
adam
12-12-2016 06:26 AM
Hi
match packet length was introduced in 5.2.0
(config)#class-map test
(config-cmap)#match packet length ?
<0-65535> Enter IP Packet length
<0-65535>- Lower limit of the packet length to match.
ipv4 IPV4 Packet Length
ipv6 IPV6 Packet Length
adam
12-12-2016 06:39 AM
I want to match packets by length in ACL to filter some DDoS attacks.
On Nexus platform I can do this.
Or the only way is policing and dropping matched packets?
12-12-2016 07:04 AM
Hi Vladimir,
you should consider Flowspec then, it will be an easy way to disseminate your anti-DDoS rules.
Cheers,
N.
12-12-2016 08:51 AM
Agree with Nicolas re flowspec. Natively the ASR9k matching/filtering on pkt length with an ACL is supported on Tomahawk Linecards (aka 400/800/1.2T LCs) starting from first half of next year - Release 6.2.2.
Regards
Eddie.
12-12-2016 10:47 AM
Hi,
Couple things,
FlowSpec is great for reactive DDoS mitigation as it allows you to enforce edge policies from a central point and it’s much more granular than classical RTBH.
However it has number of drawbacks that limit it’s deployment to reactive filtering.
1) Current implementations of FlowSpec do not allow you to specify interface for which the policy is intended so the box has to apply the policy to all interfaces. Yes you can disable FS per interface (I suggest you do so on core-facing interfaces) but all the remaining interfaces enabled for FS will install the filter and thus are subject to ~25% performance hit for all traffic passing through these interfaces (the performance hit is actually per NPU so if an NPU is hosting 3 10GE ports even if one of them is enabled for FlowSpec the other two ports are affected.
2) Order of individual FlowSpec filters/rules can not be dictated and it is determined automatically (most specific rules go first).
So FlowSpec has great potential especially when joined with IPS i.e. Intrusion Detection System generating flow spec rules to redirect specific traffic to scrubbing centre.
But for proactive DDoS protection (always-on rules) you are better off with conventional filtering methods (for now).
Regarding your deployment I’d also advise you to rate-limit rather than drop completely.
e.g even if the DNS/NTP packet is really big it might be legit, but if you encounter a stream of 1Gbps of such packets it’s time to rate-limit.
adam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide