[c-nsp] syn flood - port 80

Kevin Graham mahargk at gmail.com
Sun Aug 1 22:04:16 EDT 2004


If you've got plenty of spare CPU on the 7200, TCP Intercept might be
worth a shot --

http://www.cisco.com/univercd/cc/td/doc/product/software/ios112/intercpt.htm

You mentioned Null dests for some of the /19, but if you've got
large-ish subnets that are mostly empty, consider putting specifics
for the unused chunks w/ blackhole tags into your IGP temporarily so
you can ditch them at the border.

> Making a "mega" acl w/ all the infected hosts seams kinda silly and long
> acls can just slow down all legit traffic, by bogging the cpu down and
> drawing lots of memory.

Turbo ACL's and or the recent ACL-trie would largely eliminate this
concern (though it would still undoutedly be ugly)

> Out of desparation I'm thinking of doing this.. I'll be the first to say
> this is a BAD idea, suggestions welcome..
>
> 1 - Scan my internal network for legit http servers and make a list..
> 2- make a acl

Do you have an archive of netflow data? This would probably be the
easiest and most dependable means of doing this.

Third option would be to consider setting up a transparent http cache
cluster that's not actually caching.


More information about the cisco-nsp mailing list