RES: [c-nsp] (no subject)

Murilo Antonio Pugliese mpugliese at diveo.net.br
Fri Jul 8 16:44:24 EDT 2005 

Configuring TCP Intercept (Prevent Denial-of-Service Attacks)
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scprt3/scdenial.htm#xtocid254810

This chapter describes how to configure your router to protect TCP servers from TCP SYN-flooding attacks, a type of denial-of-service attack. 
This is accomplished by configuring the Cisco IOS feature known as "TCP Intercept."

-----Mensagem original-----
De: Jared Mauch [mailto:jared at puck.nether.net]
Enviada em: sexta-feira, 8 de julho de 2005 11:13
Para: Security
Cc: cisco-nsp at puck.nether.net
Assunto: Re: [c-nsp] (no subject)


On Fri, Jul 08, 2005 at 10:07:18AM +0200, Security wrote:
> Hello all
> 
> I have a few STM-1 lines connected to upstream providers and I will like to
> configure on the interfaces permanent rate-limit commands in order to rate
> limit the number of packets in case of a DoS attack. We are constantly
> measuring the number of packets using Cricket which under normal network
> behavior is about 40K packets per second. (maximum). Under a DoS attack the
> number of packets passing through increases to about 60k or even 70K and we
> are experiencing performance problems.
> 
> Any suggestion of how to apply constant rate-limit on number of packets per
> interface will be appreciated.

	There is no way on cisco to rate-limit based on pps last
i knew.  I spoke with people at NANOG last time it was in Phoenix
that worked for cisco and suggested something like this but it
didn't go anywhere.. 

	You can do things like rate-limit syns and other types
of 'attack' traffic by using an acl.  historically I did
things like rate-limit ICMP on a STM-1 link to 2Mb/s.  You may
find similar thresholds helpful.

	- jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list