[c-nsp] (no subject)

Jared Mauch jared at puck.nether.net
Fri Jul 8 10:12:43 EDT 2005


On Fri, Jul 08, 2005 at 10:07:18AM +0200, Security wrote:
> Hello all
> 
> I have a few STM-1 lines connected to upstream providers and I will like to
> configure on the interfaces permanent rate-limit commands in order to rate
> limit the number of packets in case of a DoS attack. We are constantly
> measuring the number of packets using Cricket which under normal network
> behavior is about 40K packets per second. (maximum). Under a DoS attack the
> number of packets passing through increases to about 60k or even 70K and we
> are experiencing performance problems.
> 
> Any suggestion of how to apply constant rate-limit on number of packets per
> interface will be appreciated.

	There is no way on cisco to rate-limit based on pps last
i knew.  I spoke with people at NANOG last time it was in Phoenix
that worked for cisco and suggested something like this but it
didn't go anywhere.. 

	You can do things like rate-limit syns and other types
of 'attack' traffic by using an acl.  historically I did
things like rate-limit ICMP on a STM-1 link to 2Mb/s.  You may
find similar thresholds helpful.

	- jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.


More information about the cisco-nsp mailing list