This is the worst-case scenario considering attack forms known at the time of writing this book. It is conceivable that other attack forms might appear in the future with a different behavior. In this case, the design guidelines would have to be updated.


Modern routers such as the Cisco CRS, 12000, or 7600 series can process many security features such as ACLs, NetFlow, committed access rate (CAR), and others at the same time at full line speed. This is required to counteract DoS attacks.


The Cisco Guard XT is a product to clean packet floods from DoS attacks. The strength of it is that it lets valid user traffic get to the destination, whereas attack traffic is being dropped. For more information, please see


For more information on the Cisco Carrier Routing System (CRS), see