Control plane policing for Multi Home Routers to prevent from DDOS Attack

Hi

 

Our HQ has two routers which are connected to two diffrent ISp's, I would like to configure Control plane policing, Please advise as step by step configuraiton, after applying i would like to test it,

i have gone thru cisco site but there is huge information, i just need sample configuraiton to apply and test, inorder to protect from DDOS attack. CPU and Memory process should not be increase more than 60% or 50% or average.

 

Thanks

Comments

  • What specific sorts of things are you looking to protect against? DDOS is rather broad, and control plane policing is not going to help you one tiny bit if there are thousands of hosts sending traffic to your web server.

    What attacks are you looking to mitigate? Those that target the router itself? Or traffic through your network?

    If you're looking to say limit SSH connections to the router, well...why do you allow that traffic in the first place?

  • peetypeety ✭✭✭

    Our HQ has two routers which are connected to two diffrent ISp's, I would like to configure Control plane policing, Please advise as step by step configuraiton, after applying i would like to test it,

    i have gone thru cisco site but there is huge information, i just need sample configuraiton to apply and test, inorder to protect from DDOS attack.

    There's "huge information" because everyone's traffic is different.  You'll have to analyze your own traffic first, then apply COPP.  Consider starting with a very binary approach: allow the traffic you think you need, deny the traffic you think you don't.  Once you recover from the traffic you forgot about, then start to move traffic down to a lower bucket, and monitor for issues.  I suggest an offline ACL repository (i.e. a TFTP server), so you can more easily cut/paste lines from ACL to another.  For example, a heavily-routed backbone will have lots of /31 links and therefore less ARP traffic than a datacenter aggregation router with /24s or larger.  That's why you won't find exact sample configurations.

    CPU and Memory process should not be increase more than 60% or 50% or average.

    Where are you coming up with these numbers?  It's your job to simply do the best you can to defend against the attacks.  Do you even know if your two HQ routers have a distributed architecture?

  • I really find it odd that you are using this forum to essentially have other people do your job for you.
    If you aren't capable of doing these things, and you aren't capable of learning them, then maybe you need to hire someone, or hire a consultant.
    If you have specific questions with problems, then sure, most people would be happy to help troubleshoot…but simply asking for someone to give you configs…is nuts.
    -Dan

    On Sep 27, 2013, at 11:26 AM, ciscotrainings <[email protected]> wrote:

    Hi

     

    Our HQ has two routers which are connected to two diffrent ISp's, I would like to configure Control plane policing, Please advise as step by step configuraiton, after applying i would like to test it,

    i have gone thru cisco site but there is huge information, i just need sample configuraiton to apply and test, inorder to protect from DDOS attack. CPU and Memory process should not be increase more than 60% or 50% or average.

     

    Thanks




    INE - The Industry Leader in CCIE Preparation
    http://www.INE.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • Sorry but you are asking for a recipe that does not exist. Each environment is different from the other, each attack is different from the other. To tell you truth this type of work is usually based on heuristics, you cannot throw something on your router, and just because it is a best practice, think it will work 100% for your scenario.

    I think you need to come up with a few questions in order to get a common sense of what you are trying to accomplish.

  • I have hired a company called prolexic.com for testing 3 months their services, what they done is they have created tunnel Ramp on our both routers they divert the traffice as the attack occurs, but some time they starts late during that time our routers got lots of hit due to that the cpu utilization goes high.

    Now my self involve in tech issue and wants to learn my self.

    With last post of EMM, IOE member has help me

    givem  me proper clue to implement emm i have dont sucess fully .

     

    If you know any best DDDOS solution companies please advise, I dont mind to learn any samll information, i am here for learning.

     

    Thanks

  • If you're being overwhelmed by data plane traffic, then what impact do you expect Control Plane Policing to have?

  • During the Attack period the cpu utlization should not reach to 100% all the business applications inaccesable. Minimize the cpu utilization is my target using COPP. Thanks

  • I don't think you have any understanding of what Control Plane Policing is designed for, or what attacks it can help mitigate.

    If your CPU is going high because of data plane traffic, how do you think CoPP is going to help?

    You really need to engage some external consultants to help you with this.

  • You are absolutlly Right, i am trying my levels best to provide protection from all the 3 planes.( MGMT.DATA and Control ).Thanks

     

  • If DDoS is a significant issue for your business, and it's that much of a problem that you need to use external DDoS mitigation services, then it should be worth investing in getting professional help.

    When you do talk to experts in this field, you should explain your problems and requirements, but then let them make the technical decisions. Don't say "I need Control Plane Policing and my router CPU must stay below 60%" - instead tell them about the types of attacks you're experiencing, the impact that has on your business, and explain your current system architecture, and the services that you need to protect.

    Also keep in mind that this forum is primarily for CCIE Lab study. It's not a forum to find other people to do your job for you. If people are going to help you here, you need to make it as easy as possible for them. If you've done some research on various techniques, and would like advice on pros/cons of each, that's fine. If you've got some configuration that you've put together, but it isn't quite working right, that's fine - maybe someone can help. 

    But to just come with a blank page, with an assignment the boss has handed you...it doesn't really encourage others to help. 

Sign In or Register to comment.