Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
656
Views
0
Helpful
2
Replies

How to see/find ddos attack in cisco 9K?

Go to solution
mom sothea
Level 1
Level 1

‎12-25-2014 05:01 AM

Dear Sir/Madam,

please be kindly help to provide me the way to see/find ddos attack. how to prevent ddos attack in cisco ios xr 9K? Recently I found my traffic was up and down abnormal. and I suspect it have ddos attack in my networks.

 

Thank you for your kindly feedback in advance.

sothea

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
xthuijs
Cisco Employee
Cisco Employee

‎12-25-2014 05:44 AM

One of the easiest ways to detect DOS attacks is by using netflow.

There are very good applications out there that can do signature recognition on those netflow records in order to identify whether flows are legitimate or whether they are part of a potential DOS flow.

The application can then use technologies such as FlowSpec to catch those identified flows and send it over to a cleanser or DPI for further analysis and if deemed to be truly malicious flowspec can be used to completely drop it at the borders and possible do something in terms of advertisement to protect the border links.

A9K itself, or XR for that matter, if target is rather nicely protected already via LPTS, so there is little that you need to do in XR to protect the node itself. But in order to mitigate "transient" DOS attacks, netflow would be the first thing to leverage.

LPTS, Netflow and Flowspec are nicely documented with some articles on the support forums in the documentation tab, think you can find them easily, if not send us a note.

cheers

xander

View solution in original post

0 Helpful
2 Replies 2

Go to solution
xthuijs
Cisco Employee
Cisco Employee

‎12-25-2014 05:44 AM

One of the easiest ways to detect DOS attacks is by using netflow.

There are very good applications out there that can do signature recognition on those netflow records in order to identify whether flows are legitimate or whether they are part of a potential DOS flow.

The application can then use technologies such as FlowSpec to catch those identified flows and send it over to a cleanser or DPI for further analysis and if deemed to be truly malicious flowspec can be used to completely drop it at the borders and possible do something in terms of advertisement to protect the border links.

A9K itself, or XR for that matter, if target is rather nicely protected already via LPTS, so there is little that you need to do in XR to protect the node itself. But in order to mitigate "transient" DOS attacks, netflow would be the first thing to leverage.

LPTS, Netflow and Flowspec are nicely documented with some articles on the support forums in the documentation tab, think you can find them easily, if not send us a note.

cheers

xander

0 Helpful

Go to solution
mom sothea
Level 1
Level 1

‎12-25-2014 08:50 PM

Dear Xander,

Thank you for your feedback.

 

Sothea

0 Helpful
Customers Also Viewed These Support Documents