[nsp] limit connections per-source-ip on pix or localdir?

Christopher McCrory chrismcc at pricegrabber.com
Thu Jul 31 19:04:27 EDT 2003


Hello...

On Thu, 2003-07-31 at 16:09, Rob Helmer wrote:
> Hello,
> 
> 
> I run a network with a PIX 515 on the outside, and a LD 410 on the
> inside.
> 
> I would like to limit the number of open connections to (say)
> 1000 per source IP. I've gone through all the manuals, but the
> closest I've found is "maxconns" on the LD side, which just limits
> the total number of open connections to a particular service, which
> won't fit my needs.
> 
> The story behind this is that a client with many more servers than we
> have has accidentally flooded us with requests a couple times, which
> makes all of our servers too busy to respond to other clients.
> 
> We still have bandwidth to spare though. I'd like to limit the number
> of requests any one client can make, ideally without buying any more
> gear (although I am open to suggestions :) ).
> 

two ways at least :)

1:

pix>  shun ip.address.of.client

hit client with cluebat

repeat as necessary :)

2:

ld> assign

setup a real/virtual/bind to a specific server just for this client,
they overload it, everyone else is still happy.

there might be other ways




> 
> 
> Thanks,
> Rob Helmer
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-- 
Christopher McCrory
 "The guy that keeps the servers running"
 
chrismcc at pricegrabber.com
 http://www.pricegrabber.com
 
Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense.  I tried it.  Only tinfoil works.




More information about the cisco-nsp mailing list