Akamai DDOS Template

This is a pretty simple setup. Akamai will provide the details needed to complete this. Below is a template that you can use and edit the names and make whatever necessary changes you need.

There are two important settings you need to do.

1. MSS of 1436 on all ISP(Carrier)/Uplink Interfaces
2. MSS of 1360 on all Appliances that have Site-to-Site VPN Tunnels
*NO MSS adjustments needed for the GRE Tunnels

For setting # 2 above, for me, it’s typically a Cisco ASA with VPN Tunnels. The command you need is a global command:

sysopt connection tcpmss 1360

One last setting you might also want to do and these are for GRE Tunnels:

1. Set keepalive to “keepalive 30 3”
2. Set hold-queue’s to “hold-queue 1024 in” and “hold-queue 1024 out”

#####Definitions:

IP Prefix 1 to protect: {PREFIX 1}
AKAMAI Site1 tunnel destination: {SITE1 TUNNEL DEST} 
AKAMAI Site1 tunnel IP: {SITE1 TUNNEL IP} 
AKAMAI Site2 destination: {SITE2 TUNNEL DEST} 
AKAMAI Site2 IP: {SITE2 TUNNEL IP} 
ISP1 peer IP: {ISP1 PEER IP} 
ISP1 ASN: {ISP1 ASN} 
Customer ASN: {CUST ASN} 
AKAMAI Site1 peer IP: {AKAMAI  SITE1 PEER IP}  
AKAMAI Site2 peer IP: {AKAMAI  SITE2 PEER IP}

#####Example Cisco configurations:

interface Tunnel1 
 description GRE-to-Akamai-1 
 ip address  255.255.255.254 
 keepalive 30 3 
 tunnel source FastEthernet0/1 
 tunnel destination  
 hold-queue 1024 in 
 hold-queue 1024 out 

interface Tunnel2 
 description GRE-to-Akamai-2 
 ip address  255.255.255.254 
 keepalive 30 3 
 tunnel source FastEthernet0/1 
 tunnel destination  
 hold-queue 1024 in 
 hold-queue 1024 out 
 
interface Tunnel3 
 description GRE-to-Akamai-3 
 ip address  255.255.255.254 
 keepalive 30 3 
 tunnel source FastEthernet0/1 
 tunnel destination  
 hold-queue 1024 in 
 hold-queue 1024 out 
 
interface FastEthernet0/1 
 description Internet connection to ISP 1 
 ip address 202.155.220.42 255.255.255.252 
 ip tcp adjust-mss 1436 

router bgp  
 no synchronization 
 bgp log-neighbor-changes 
 network  mask 255.255.255.0  
 neighbor Carrier1 peer-group 
 neighbor Carrier1 remote-as  
 neighbor Carrier1 description xxxxxx- 
 neighbor Carrier1 password *************************** 
 neighbor Carrier1 version 4 
 neighbor Carrier1 send-community 
 neighbor Carrier1 prefix-list CUST-subnet out 
 neighbor Akamai peer-group 
 neighbor Akamai remote-as 32787 
 neighbor Akamai description Akamai-32787 
 neighbor Akamai password *************************** 
 neighbor Akamai version 4 
 neighbor Akamai send-community 
 neighbor Akamai prefix-list deny-all in 
 neighbor Akamai prefix-list deny-all out 
 neighbor Akamai route-map Akamai -out out 
 neighbor  peer-group Akamai 
 neighbor  description GRE1-to- Akamai - SITE1 
 neighbor  peer-group Akamai 
 neighbor  description GRE2-to- Akamai - SITE2 
 neighbor  peer-group Akamai 
 neighbor  description GRE3-to- Akamai – SITE3 
 neighbor  peer-group Carrier1 
 neighbor  description Carrier1-Primary-uplink 
 no auto-summary 
 
 ip classless 
 ip route 0.0.0.0 0.0.0.0                    
 ip route  255.255.255.0 Null0 201 
  
 ip prefix-list deny-all seq 5 deny 0.0.0.0/0 le 32        
 ip prefix-list Akamai-out seq 5 permit  
 ip prefix-list Akamai-suppress seq 5 deny  
 ip prefix-list CUST-subnet seq 10 permit  
 
 route-map Akamai-out permit 10 
     match ip address prefix-list Akamai-out

#####To Activate Akamai Protection:

router bgp  
 no neighbor Carrier1 prefix-list CUST-subnet out           
 neighbor Carrier1 prefix-list Akamai-suppress out         
 no neighbor Akamai prefix-list deny-all out

clear ip bgp soft out
clear ip bgp peer-group Akamai soft out

#####To Deactivate Akamai Protection:

router bgp  
 no neighbor Carrier1 prefix-list Akamai-suppress out      
 neighbor Carrier1 prefix-list CUST-subnet out             
 neighbor Akamai prefix-list deny-all out

clear ip bgp soft out
clear ip bgp peer-group Akamai soft out