[nsp] Question about per-host ip nat limits

Kumar, Senthil senthil.kumar at intechnology.co.uk
Wed Dec 18 14:39:02 EST 2002


if not at nat level, i can think of some options that will  put a check on
dos attacks, try 'cbac' or 'ip tcp intercept with
one-minute/half-open/max-open at net or host level.

& at nat level max-entries or/& timeout will help.


-----Original Message-----
From: buhrow@lothlorien.nfbcal.org [mailto:buhrow@lothlorien.nfbcal.org]
Sent: 17 December 2002 22:43
To: cisco-nsp@puck.nether.net
Cc: buhrow@lothlorien.nfbcal.org
Subject: [nsp] Question about per-host ip nat limits


	Hello folks.  Afterl looking through the Cisco web site, as well
as looking at this list's archives, I find I have a question which I
thought  someone might know the answer to on this list.

	Here's the situation.  We have a router serving a campus which uses
all natted addresses.  The customers who use our service on this campus
are free to supply their own computers, so we end up with a heterogenus
collection of hardware and software.  Sometimes, computers show up with
viruses which attempt to open a vast number of connections out through the
Internet router.  This causes the router to assign so many nat tranlslation
entries that it either runs out of memory, or bumps up against the maximum
number of translations we've defined.  Either way, all users eventually
find they cannot use the Internet because the router's translation slots
are all consumed by the rogue computer.
	My question is this: is there a command to limit
the number of translations a given inside IP address can use before it is
denied anymore translation slots?  I'd like to do this to prevent one host
from inadvertently mounting a denial of service attack by running the
router out of translation memory.  In case it matters, we're running this
campus through a Cisco 2621 router with IOS version 12.2(7a).

	Any thoughts on how to prevent this sort of denial of service 
attack would be greatly appreciated.
-thanks
-Brian

_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

________________________________________________________________________
This message has been checked for all known viruses by the 
CitC Virus Scanning Service powered by SkyLabs. For further information
visit
http://www.citc.it

___

________________________________________________________________________
This message has been checked for all known viruses by the 
CitC Virus Scanning Service powered by SkyLabs. For further information visit
http://www.citc.it

___


More information about the cisco-nsp mailing list