[nsp] limit connections per-source-ip on pix or localdir?
Christopher McCrory
chrismcc at pricegrabber.com
Thu Jul 31 19:04:27 EDT 2003
Hello...
On Thu, 2003-07-31 at 16:09, Rob Helmer wrote:
> Hello,
>
>
> I run a network with a PIX 515 on the outside, and a LD 410 on the
> inside.
>
> I would like to limit the number of open connections to (say)
> 1000 per source IP. I've gone through all the manuals, but the
> closest I've found is "maxconns" on the LD side, which just limits
> the total number of open connections to a particular service, which
> won't fit my needs.
>
> The story behind this is that a client with many more servers than we
> have has accidentally flooded us with requests a couple times, which
> makes all of our servers too busy to respond to other clients.
>
> We still have bandwidth to spare though. I'd like to limit the number
> of requests any one client can make, ideally without buying any more
> gear (although I am open to suggestions :) ).
>
two ways at least :)
1:
pix> shun ip.address.of.client
hit client with cluebat
repeat as necessary :)
2:
ld> assign
setup a real/virtual/bind to a specific server just for this client,
they overload it, everyone else is still happy.
there might be other ways
>
>
> Thanks,
> Rob Helmer
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
Christopher McCrory
"The guy that keeps the servers running"
chrismcc at pricegrabber.com
http://www.pricegrabber.com
Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense. I tried it. Only tinfoil works.
More information about the cisco-nsp
mailing list