[c-nsp] Under attack, need help with ACL....

Pekka Savola pekkas at netcore.fi
Thu Nov 4 00:42:38 EST 2004


Hi,

On Wed, 3 Nov 2004, Rodney Dunn wrote:
> The rate limiting is per source address from what I remember.
>
> There is an enhancement request on the table
> to provide more notification to users when
> packets are being rate limited (SNMP, syslog,
> show command) and to break out the reasons.

Yeah, but much better would be just implementing a token bucket which 
would allow small bursts in sending the messages, rather than a strict 
time-based limiter or disabling it altogether.  That's what modern OSs 
(like linux, bsd) do.

>
> You can turn it off if you want:
>
> no ip icmp rate-limit unreachable
>
> That's why you see a traceroute that looks like
> this:
>
> Router#tr 1.1.1.2
>
> Type escape sequence to abort.
> Tracing the route to 1.1.1.2
>
>  1 1.1.1.2 4 msec *  0 msec
> Router#!now turn it off on the target router
> Router#tr 1.1.1.2
>
> Type escape sequence to abort.
> Tracing the route to 1.1.1.2
>
>  1 1.1.1.2 4 msec 0 msec 0 msec
>
> http://www.cisco.com/en/US/tech/tk364/tk871/technologies_tech_note09186a00801ae32a.shtml
>
> Rodney
>
>
> On Wed, Nov 03, 2004 at 07:06:28AM +0200, Pekka Savola wrote:
>> On Tue, 2 Nov 2004, Rodney Dunn wrote:
>>> 101_(config)#ip icmp rate-limit unreachable ?
>>>  <1-4294967295>  Once per milliseconds
>>>  DF              code 4, fragmentation needed and DF set
>>>
>>> default is one per 500 msec.
>>
>> That would be really stupid if that was the case (e.g., breaks
>> traceroutes)  Don't you have some kind of token bucket?
>>
>> --
>> Pekka Savola                 "You each name yourselves king, yet the
>> Netcore Oy                    kingdom bleeds."
>> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings


More information about the cisco-nsp mailing list