DDoS protection for switches which don’t support hardware DDoS protection

  • 27 April 2018
  • 1 reply

Userlevel 1
Are there any recommendations/best practices for protecting cumulus switch deployed as Internet edge router ? If they don’t support hardware-enabled DDoS protection

1 reply

Userlevel 1
Policing Control Plane and Data Plane Traffic describes how to use netfilter/acl rules to harden the control plane.

You can also use the Cumulus switch to filter DDoS attacks targeted at your infrastructure:
1. Enable sFlow for traffic visibility
2. Enable REST API for remote control of ACLs
3. Use controller to automatically detect and block attacks.

If you are running BGP, you can also Remotely Triggered Black Hole (RTBH) Routing to mitigate attacks.