[nsp] NetFlow and DoS attacks - tuning
Barry Greene (bgreene)
bgreene at cisco.com
Wed Dec 17 03:08:09 EST 2003
> ...Unless the router is so swamped you cannot login. Then having some
> (any) netflow data for the brief periods where the router can
> breathe again is quite helpful.
I've been using the "process-max-time" command as one of the tools to insure
I have "command access breathing room" on the router. The value most people
have been setting is "process-max-time 200" ... which on some IOS flavors is
now a default.
The command came in with CSCdk93483 to keep the CLI from knocking out voice
on low end routers. What is interesting is that I use it to keep access to
the CLI via the console when the router hits 99%/99% on the CPU when it is
DOSed or when some other process grabs all the CPU time.
> > - Here's a good overview presentation
> > http://www.dfn-cert.de/dfn/berichte/db093/behringer-ddos.pdf
> > it covers NetFlow but also rate-limiting, CAR, uRPF, etc...
>
> That was very interesting. I sent that around the office to
> help explain what a DoS attack is and show that it's not just
> something you can "fix".
I'll point my on-line resources in a separate message.
More information about the cisco-nsp
mailing list