Hi,
On Wed, Aug 08, 2001 at 07:21:54AM +0200, Blaz Zupan wrote:
> > If cause of your prolem is really Code Red, you may want to check out
> > http://iponeverything.net/CodeRed.html (Protecting from CR using ACLs).
>
> We don't run (and don't plan to run) the firewall feature set on our backbone
> routers.
You don't have to. This is done with CAR, and it actually works.
I just tried it, and it's impressive...
Class-map: code-red (match-any) (1117/2)
4080 packets, 5351654 bytes
5 minute offered rate 103000 bps, drop rate 99000 bps
Match: protocol http url "*default.ida*" (1119)
4080 packets, 5351654 bytes
5 minute rate 103000 bps
police:
8000 bps, 1500 limit, 1500 extended limit
conformed 646 packets, 202448 bytes; action: drop
exceeded 44 packets, 55194 bytes; action: drop
violated 3404 packets, 5109764 bytes; action: drop
conformed 5000 bps, exceed 0 bps violate 99000 bps
CPU load is down from 60-70% (due to IP accounting all that crap) to
about 30% :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert.doering@physik.tu-muenchen.de
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:48 EDT