|•Cisco bugfixes which address some of the
problems related to protection against Denial of Service attacks:
|•BugID CSCdj35407 - “fast drop” ACL code -
integrated in 11.1(14)CA
|•This fix decreases the load on the router’s CPU
when a packet matches an ACL “deny” line.
Previously, the processor would place every denied packet through the
slow switching path in order to send the appropriate ICMP unreachable
messages. With this fix, only 2
packets per second go to the slow path in order to process those messages.
|•BugID CSCdj35856 - ACL logging throttles -
integrated in 11.1(15)CA
|•This fix introduced a command “ip access-list
logging interval” to set the interval between syslog notifications as a
result of a “log” keyword in an ACL.
|•Unicast RPF checking insures that packets
aren’t source-spoofed by ensuring that the packet came in on the same
interface as the path back to the source address. This is disabled by default, as there are configurations in
which it would prevent legitimate traffic from flowing (multi-homed
environments). However, for stub
networks (those with only one entry/exit point), this command ensures that
there are no source-spoofed packets with bogus source addresses.
|•For the Internet, inter-provider cooperation in
tracking down attacks is essential.
NOCs are encouraged to have published procedures/policies for engaging
a technical team capable of tracking such attacks.