[c-nsp] Safer DDOS drops
Brandon Ewing
nicotine at warningg.com
Fri Apr 8 16:34:27 EDT 2011
On Fri, Apr 08, 2011 at 01:18:40PM -0700, Peter Kranz wrote:
> 2011-04-08 12:31:49.504 8.832 UDP 58.64.147.47:0 -> xxxxx:0
> 2048 3.0 M 1
> 2011-04-08 12:31:49.822 8.640 UDP 193.142.209.170:0 -> xxxx:0
> 66560 98.2 M 1
> Attempted to alleviate the customer port congestion by adding the following
> to the port (an etherchannel made up of 2 1G ports on a WS-X6516-GBIC)
>
> access-list 101 remark DOS Attack blocker
> access-list 101 deny udp any host 208.71.159.144
> access-list 101 permit ip any any
>
Those look like UDP fragments (src/dst port 0) -- did you try adding a
deny ip any host 208.71.159.144 fragments
line?
It's possible the router is trying to reassemble the fragments to compare
them to the ACL -- someone with more experience on the 6500 platform's ACL
quirks could comment.
--
Brandon Ewing (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20110408/22e68bd5/attachment.pgp>
More information about the cisco-nsp
mailing list