We have Cisco IOS XR routers with our ISP : on occasions (once
every 1-2 months), there's high sudden surge of traffic which may
not be DDoS as it comes from specific IP (eg: AWS or even a
CDN): sometimes o365 may 'sync' & resulted in high utilization.
These high traffic are typically Tcp443 & sometimes Tcp80.
We don't want to scrub/block as we may disrupt legit traffic:
I saw somewhere that IOS XR can be configured to have ACLs
such that it limits bandwidth for each source IP to a specific
destination IP (usually this high traffic is to our User VLAN's
PAT public IP 203.x.y.68). Guess this ACL should be at
our ISP router's end rather than at the router on our premises
so as to block it further upstream before it congest the pipe
we have with our ISP.
Anyone has such Cisco ACL to share?
Any other mitigations (Police statements in ISP's router?
Guess at our core switches, we can't do much)? Our
ISP/Telco has some sort of Arbor device but when I ask
them if they can restrict bandwidth from each external IP
to say 15Mbps, they can't advise.
We have 2 pipes to our ISP that goes different exchanges
(& its 2 different XR routers at our end): somehow virtually
all traffic often go (including the high bandwidth one) often
go to the 1st pipe: any way to load-balance between the
2 links? The telco just can't advise.
We don't plan to subscribe to CDN.