[nsp] Question about per-host ip nat limits
Kumar, Senthil
senthil.kumar at intechnology.co.uk
Wed Dec 18 14:39:02 EST 2002
if not at nat level, i can think of some options that will put a check on
dos attacks, try 'cbac' or 'ip tcp intercept with
one-minute/half-open/max-open at net or host level.
& at nat level max-entries or/& timeout will help.
-----Original Message-----
From: buhrow@lothlorien.nfbcal.org [mailto:buhrow@lothlorien.nfbcal.org]
Sent: 17 December 2002 22:43
To: cisco-nsp@puck.nether.net
Cc: buhrow@lothlorien.nfbcal.org
Subject: [nsp] Question about per-host ip nat limits
Hello folks. Afterl looking through the Cisco web site, as well
as looking at this list's archives, I find I have a question which I
thought someone might know the answer to on this list.
Here's the situation. We have a router serving a campus which uses
all natted addresses. The customers who use our service on this campus
are free to supply their own computers, so we end up with a heterogenus
collection of hardware and software. Sometimes, computers show up with
viruses which attempt to open a vast number of connections out through the
Internet router. This causes the router to assign so many nat tranlslation
entries that it either runs out of memory, or bumps up against the maximum
number of translations we've defined. Either way, all users eventually
find they cannot use the Internet because the router's translation slots
are all consumed by the rogue computer.
My question is this: is there a command to limit
the number of translations a given inside IP address can use before it is
denied anymore translation slots? I'd like to do this to prevent one host
from inadvertently mounting a denial of service attack by running the
router out of translation memory. In case it matters, we're running this
campus through a Cisco 2621 router with IOS version 12.2(7a).
Any thoughts on how to prevent this sort of denial of service
attack would be greatly appreciated.
-thanks
-Brian
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
________________________________________________________________________
This message has been checked for all known viruses by the
CitC Virus Scanning Service powered by SkyLabs. For further information
visit
http://www.citc.it
___
________________________________________________________________________
This message has been checked for all known viruses by the
CitC Virus Scanning Service powered by SkyLabs. For further information visit
http://www.citc.it
___
More information about the cisco-nsp
mailing list