36-12
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
OL-4266-08
Chapter 36 Configuring Denial of Service Protection
Understanding How DoS Protection Works
QoS Rate Limiting
QoS ACLs limit the amount of a particular type of traffic that is processed by the MSFC3. If a DoS attack
is initiated against the MSFC, QoS ACLs can prevent the DoS traffic from reaching the MSFC data path
and congesting it. The PFC3 performs QoS in hardware, which offers an efficient means of limiting DoS
traffic (once that traffic has been identified) to protect the router from impacting the MSFC.
For example, if the network is experiencing ping-of-death or smurf attacks, the administrator should rate
limit the ICMP traffic to counteract the DoS attack and still allow legitimate traffic through the
processor, or allow it to be forwarded to the MSFC or host. This rate limiting configuration must be done
for each flow that should be rate limited and the rate-limiting policy action should be applied to the
interface.
In the following example, the access-list 101 permits and identifies ping (echo) ICMP messages from
any source to any destination as traffic. Within the policy map, a policing rule defines a specified
committed information rate (CIR) and burst value (96000 bps and 16000 bps) to rate limit the ping
(ICMP) traffic through the chassis. The policy map then is applied to an interface or VLAN. If the ping
traffic exceeds the specified rate on the VLAN or interface where the policy map is applied, it is dropped
as specified in the markdown map (the markdown map for the normal burst configurations is not shown
in the example).
Router(config)#
access-list 101 permit icmp any any echo
Router(config)#
class-map match-any icmp_class
Router(config-cmap)#
match access-group 101
Router(config-cmap)#
exit
Router(config)#
policy-map icmp_policer
Router(config-pmap)#
class icmp_class
Router(config-pmap-c)#
police 96000 16000 conform-action transmit exceed-action
policed-dscp-transmit drop
Router(config-pmap-c)#
exit
Router(config-pmap)#
exit
uRPF Check
When you enable the unicast reverse path forwarding (uRPF) check, packets that lack a verifiable source
IP address, such as spoofed IP source addresses, are discarded. Cisco Express Forwarding (CEF) tables
are used to verify that the source addresses and the interfaces on which they were received are consistent
with the FIB tables on the supervisor engine.
After you enable uRPF check on an interface (per-VLAN basis), the incoming packet is compared to the
CEF tables through a reverse lookup. If the packet is received from one of the reverse path routes, the
packet is forwarded. If there is no reverse path route on the interface on which the packet was received,
the packet fails the uRPF check and is either dropped or forwarded, depending on whether an ACL is
applied to the uRPF check fail traffic. If no ACL is specified in the CEF tables, then the forged packets
are immediately dropped.
You can only specify an ACL for the uRPF check for packets that fail the uRPF check. The ACL checks
whether the packet should immediately be dropped or forwarded. The uRPF check with ACL is not
supported in any PFC3 in hardware. Packets that are denied in the uRPF ACL are forwarded in hardware.
Packets that are permitted are sent to the CPU.
The uRPF check with a PFC3 is supported in hardware; it is also supported in hardware with a PFC2,
but with only one return path. However, all packets that fail the uRPF check, and are forwarded because
of an applied ACL, can be sent and rate limited to the MSFC to generate ICMP unreachable messages;
these actions are all software driven. The uRPF check in hardware is supported for routes with up to two
return paths (interfaces) and up to six return paths with interface groups configured (two from the FIB
table and four from the interface groups).