[c-nsp] Under attack, need help with ACL....

Rodney Dunn rodunn at cisco.com
Tue Nov 2 17:12:57 EST 2004 

I like extended ACL's better for this when
it comes to packet matching.

ie:

access-list 101 deny 213.159.115.0 0.0.0.255 any
access-list 101 permit ip any any


interface <blah>
ip access-group 101 in


I find it more intuitive when I know the format
of the command is "src network" "dst network".

Depending on the rate of traffic you may
wan to disable "ip unreachables" on the interface
or rate limit them via the global:

101_(config)#ip icmp rate-limit unreachable ?
  <1-4294967295>  Once per milliseconds
  DF              code 4, fragmentation needed and DF set

default is one per 500 msec.

You do this to protect the router from punting a lot
of packets to the processor when you drop.

Or you could turn off unreachables on the interface
directly: no ip unreachables

Rodney

 


On Tue, Nov 02, 2004 at 03:44:44PM -0600, Josh Duffek wrote:
> Did you not apply the ACL to the interface?
> 
> Config t
> Interface x
> Ip access-group 10 in
> End
> ...or somesuch
> 
> Curious, what kind of traffic is it?
> 
> Thanks,
> 
> josh duffek    network engineer
> consultantjd16 at ridemetro.org
> 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Richard Golodner
> > Sent: Tuesday, November 02, 2004 3:42 PM
> > To: 'cisco-nsp at puck.nether.net'
> > Subject: [c-nsp] Under attack, need help with ACL....
> > 
> > 	My company is under some type of Dos and my upstream will not
> help
> > until I reach 80% saturation. I need to block all hosts from netblock
> > 213.159.115.0-255 and have created this ACL:
> > access-list 10 deny   213.159.115.0 0.0.0.255
> > access-list 10 permit any
> > 	I am hoping that someone could give me a clue off list please.
> > 				Thank you, Richard Golodner
> > 				rgolodner at aetea.com
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list