DDoS attack discovered on 10gb link to a subscriber. As an ISP we send the subscribers address (Destination) to the Blackhole so the DDoS attack is eliminated from our network. We investigate and find one of the IPs used. The obvious problem here is "When do we allow traffic back to that subscriber without having to ask upstream ISP"? This presents a problem. So, we think "I know, why don't we use one of our queues, set it to 1kb and send the traffic from the source to that queue, thus negating the DDoS attack and allowing the other legitimate traffic to the subscriber".....
So, there is the scenario, and now here is the question:
Is there a way of using CoS to separate traffic based on source address and send that traffic to a queue?
Obviously there is a simpler method of just blocking that address and sending the traffic to a null interface, however, from my understanding this method is utilised AFTER the traffic has entered the physical interface whereas the CoS option can separate this AT the physical interface, thus negating Bandwidth consumption at the interface level....
Another option would be to setup jflow and send it to an open source flow collector like nfsen or one of the other ones.
Then even after you blackhole the traffic the previous flows can be searched and you can see where the traffic was coming from during the attack.
As always, a great response Spuluka....
It doesn't quite answer the following though:
To stop interface bandwidth utilisation is it best to use CoS from source?
Is it best to use policy statements when source is known?
Does CoS work at interface level (fpc)? If it does then this is what we require as we need to stop bandwidth being eaten up.
Policy statements will be used once the traffic is past the physical interface? This will not solve the bandwidth issue.
So, for example, could I use the following (but would require somewhere a source address)
set firewall policer ddos-test if-exceeding bandwidth-percent 80
set firewall policer ddos-test if-exceeding burst-size-limit 500k
set firewall policer ddos-test then discard
set firewall filter ddos-filter term ddos then policer ddos-test
set firewall filter ddos-filter term ddos then accept
Then I can apply this to the required interface.....
How can I get this to work with a source address please?
I will close this as resolved by Spuluka....
We will just set the policy statements and route to null interface.....