8 Replies Latest reply: May 9, 2012 4:50 AM by ESummers RSS

    DoS attack prevention


      Hey all,



      I have been trying to research the best to prevent a DoS attack on a Cisco border router. Thoughts anyone?



        • 1. Re: DoS attack prevention
          Keith Barker - CCIE RS/Security, CISSP

          If the attack is against the border router itself, control plane policing/protection is a great feature that can help.


          If there is a flood of traffic to the border router, the ISP could do some filtering for you, to reduce the flood before it even gets to you.


          If we are protecting a DoS against devices behind our border router, we could use the above techniques, and add ingress filtering unicast RPF checks.   We could also implement the software flavor of IPS (if our router supports it, and has enought CPU to handle it) to defend against an attack.


          Following the best practices for hardening the router are a good idea as well.   Here is a link to the NSA recommendations for a Cisco router:



          Best wishes,



          • 2. Re: DoS attack prevention

            Hi Cjinfantino


            Do not connect it to the Internet.


            Have a Internet pipe bigger than the whole Internet.


            Arrange with State Intelligence Service make it known any offenders may be visiting their HQ.


            There is nothing you can do because you are at the end of the chain. You need to stop the attack within the Internet.


            Cyber-terrorism is now thought to be the next form of warfare so there is nothing you can do except not connect to the Internet.


            Before the Internet companies would have private circuits between their location but now the Internet is used to interact with customers and suppliers so you can detect DoS but you can not stop those packets filling up the circuit.


            The only answer is an Internet police when you report a DoS attack and then every ISP stops routing traffic to you from potential attackers but would agreement be achieved I think not.


            I suppose if you could give every supplier a certificate and modify IP to carry a hash using the private key and then each router would use the public key to check the IP packet and if invalid drop it it might work.


            Regards Conwyn

            • 3. Re: DoS attack prevention

              Thanks all,


              I have devices behind my border router that were getting attacked. I tried to blackhole the IP at that point on the border router but it was so overwhelmed it didn't do anything.


              Our ISP ended up blocking traffic from that specific IP. I really am looking for a way that in the future should this (and it will) happen again the router can react in a proactive manner...I was thinking something along the lines of rate limiting on the public facing interface.


              Not sure.

              • 4. Re: DoS attack prevention

                Hi CJ


                Once it hits your router it is too late. OK maybe so good traffic can get through but if the attacker is firing 2Mb at your 1Mb circuit nothing will stop it especially if he is faking the source addresses. Your ISP is the key.


                Regards Conwyn

                • 5. Re: DoS attack prevention



                  Contact to prolexic dot com.

                  World leader to mitigate DDoS over internet. They have scrubbing centers in China, London and 2 in USA with 100 GIG bandwidth in each. They moved all your trafic (when under attack) from internet to their scrubbing centers and send back cleaned traffic over GRE tunnels to your gateway.


                  Amazing solution they have.

                  • 6. Re: DoS attack prevention

                    Example: You are hosting a web server at, which is under a denial of service attack. Use NBAR to limit web traffic to that server at 200 kb/s

                    access-list 188 permit tcp any host eq www

                    class-map match-all DoS
                      match access-group 188

                    policy-map DoS-Attack
                      class DoS
                      police cir 200000 bc 37500 be 75000
                      conform-action transmit
                      exceed-action drop
                      violate-action drop

                    interface gig0/0

                    description "Outside Interface"
                    service-policy input DoS-Attack

                    • 7. Re: DoS attack prevention

                      To Conwyn


                      Yes we cant stop attacks but:


                      "Network Security is to create hurdels in the way of attacker/hacker so that he might need extensive resources to cross hurdles OR he spend extensive time that grabed information would not be usefull/valuable for him"


                      It means we cant make it 100% secure but we can give him tough time.

                      • 8. Re: DoS attack prevention

                        Conwyn wrote:


                        Hi Cjinfantino


                        Do not connect it to the Internet.


                        Wait...were you featured in that video, "Stuff" Information Assurance People Say? 


                        I did try this method at home.  It comes with the minor annoyance of also killing my email, but so far I have suffered no spam and it has really killed the pop-up ads!