[nsp] limit connections per-source-ip on pix or localdir?

Scott Morris swm at emanon.com
Fri Aug 1 11:59:43 EDT 2003 

You could probably do it implementing outside NAT on the box.  Although
I would warn you that this is a huge pain in the ass for watching the
logic of the box depending on how many interfaces and things you have
going on!  But you COULD do it that way.  Because it's during the NAT
processing that the number of connections is checked.

I'm not sure I'd use a 515 to do this due to the extra processing, but
again this would depend on the amount of traffic going through it and
what your load/connections really is.  I'm assuming you have quite a few
if you are picking 1000 to be the maximum.

Anyway, something to think about on the PIX.

Scott


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christopher
McCrory
Sent: Thursday, July 31, 2003 9:04 PM
To: Rob Helmer
Cc: cisco-nsp at puck.nether.net
Subject: Re: [nsp] limit connections per-source-ip on pix or localdir?


Hello...

On Thu, 2003-07-31 at 16:09, Rob Helmer wrote:
> Hello,
> 
> 
> I run a network with a PIX 515 on the outside, and a LD 410 on the 
> inside.
> 
> I would like to limit the number of open connections to (say) 1000 per

> source IP. I've gone through all the manuals, but the closest I've 
> found is "maxconns" on the LD side, which just limits the total number

> of open connections to a particular service, which won't fit my needs.
> 
> The story behind this is that a client with many more servers than we 
> have has accidentally flooded us with requests a couple times, which 
> makes all of our servers too busy to respond to other clients.
> 
> We still have bandwidth to spare though. I'd like to limit the number 
> of requests any one client can make, ideally without buying any more 
> gear (although I am open to suggestions :) ).
> 

two ways at least :)

1:

pix>  shun ip.address.of.client

hit client with cluebat

repeat as necessary :)

2:

ld> assign

setup a real/virtual/bind to a specific server just for this client,
they overload it, everyone else is still happy.

there might be other ways




> 
> 
> Thanks,
> Rob Helmer
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-- 
Christopher McCrory
 "The guy that keeps the servers running"
 
chrismcc at pricegrabber.com
 http://www.pricegrabber.com
 
Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense.  I tried it.  Only tinfoil works.


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list