Configuring DoS Protection
Configuring DoS Protection
The following sections describe the different DoS protection implementations and give configuration
examples:
•
•
•
•
•
•
Supervisor Engine DoS Protection
The supervisor engine has built-in mechanisms that limit the rate of traffic in hardware and prevent
flooding of the route processor and denial of service. Rate-limiting allows most of the traffic to be
dropped in hardware and only a small percentage of the traffic to be forwarded to the route processor at
a nonconfigurable rate of 0.5 packets per second. Rate-limiting of packets in hardware exists for the
following traffic conditions:
•
Note
•
•
•
Security ACLs
The Cisco 7600 series router can deny packets in hardware using security ACLs and can drop DoS
packets before they reach the CPU inband datapath. Because security ACLs are applied in hardware
using the TCAM, long security ACLs can be used without impacting the throughput of other traffic.
Security ACLs can also be applied after a DoS attack has been identified.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
24-2
Supervisor Engine DoS Protection, page 24-2
Security ACLs, page 24-2
QoS ACLs, page 24-4
Forwarding Information Base Rate-Limiting, page 24-5
APR Throttling, page 24-5
Monitoring Packet Drop Statistics, page 24-6
ICMP unreachable messages for ACL deny
This condition allows most ACL-denied packets to be dropped in hardware, and some packets to be
forwarded to the route processor for monitoring purposes.
Because the system is programmed to bridge all ACL-deny log packets to the route processor,
we do not recommend that you configure deny log ACEs in a security ACL.
ICMP redirect messages
ICMP redirect messages are used by routers to notify the hosts on the data link that a better route is
available for a particular destination. Most of these messages are dropped in hardware and only a
few messages need to reach the route processor.
Forwarding Information Base (FIB) Failures
If the FIB does not know how to route traffic for a specific IP destination address, some packets will
be forwarded to the route processor to generate ICMP redirect messages.
Reverse Path Forwarding (RPF) Failures
If the FIB IP source address lookup results in an RPF failure, some packets will be forwarded to the
route processor to generate ICMP unreachable messages.
Chapter 24
Configuring Denial of Service Protection
78-14064-04