[c-nsp] rate limiting

Rossella Mariotti-Jones rossella at chemeketa.edu
Fri Sep 2 14:22:50 EDT 2005 

Hello all, we'd like to set up TCP intercept on our 7200 running code
Version 12.2(28) but the command doesn't seem to be available: 

Router(config)#ip tcp ?

  async-mobility      Configure async-mobility

  chunk-size          TCP chunk size

  mss                 TCP initial maximum segment size 

  path-mtu-discovery  Enable path-MTU discovery on new TCP connections

  queuemax            Maximum queue of outgoing TCP packets

  selective-ack       Enable TCP selective-ACK

  synwait-time        Set time to wait on new TCP connections

  timestamp           Enable TCP timestamp option

  window-size         TCP window size

 

As far as I can tell from the command docs it should be supported in
this version, does anybody have any idea?

 

Also, can anybody advise on how to do simple rate limiting on UDP
flooding? We've been experiencing DOS attacks consisting of packets like
the ones below and we're thinking about using the rate-limit command to
limit the amount of UDP packets to 1/50 of our pipe (DS3). Any
suggestion would be greatly appreciated. Thanks in advance.

 

 

No.     Time        Source                Destination           Protocol
Info

      1 0.000000    204.202.11.196        199.101.11.160        UDP
Source port: 3554  Destination port: ssh

 

Frame 1 (60 bytes on wire, 60 bytes captured)

    Arrival Time: Sep  2, 2005 10:06:47.220520000

    Time delta from previous packet: 0.000000000 seconds

    Time since reference or first frame: 0.000000000 seconds

    Frame Number: 1

    Packet Length: 60 bytes

    Capture Length: 60 bytes

    Protocols in frame: eth:ip:udp:data

Ethernet II, Src: 00:50:0b:68:64:1c, Dst: 00:05:32:8f:d4:9e

    Destination: 00:05:32:8f:d4:9e (Cisco_8f:d4:9e)

    Source: 00:50:0b:68:64:1c (Cisco_68:64:1c)

    Type: IP (0x0800)

    Trailer: 0000000000000000000000000000000000

Internet Protocol, Src Addr: 204.202.11.196 (204.202.11.196), Dst Addr:
199.101.11.160 (199.101.11.160)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 29

    Identification: 0x8ca9 (36009)

    Flags: 0x00

        0... = Reserved bit: Not set

        .0.. = Don't fragment: Not set

        ..0. = More fragments: Not set

    Fragment offset: 0

    Time to live: 51

    Protocol: UDP (0x11)

    Header checksum: 0x4f93 (correct)

    Source: 204.202.11.196 (204.202.11.196)

    Destination: 199.101.11.160 (199.101.11.160)

User Datagram Protocol, Src Port: 3554 (3554), Dst Port: ssh (22)

    Source port: 3554 (3554)

    Destination port: ssh (22)

    Length: 9

    Checksum: 0x1650 (correct)

Data (1 byte)

 

0000  00 05 32 8f d4 9e 00 50 0b 68 64 1c 08 00 45 00   ..2....P.hd...E.

0010  00 1d 8c a9 00 00 33 11 4f 93 cc ca 0b c4 c7 65   ......3.O......e

0020  0b a0 0d e2 00 16 00 09 16 50 30 00 00 00 00 00   .........P0.....

0030  00 00 00 00 00 00 00 00 00 00 00 00               ............




No.     Time        Source                Destination           Protocol
Info

      2 0.000218    204.202.11.196        199.101.11.160        UDP
Source port: 3554  Destination port: ssh

 

Frame 2 (60 bytes on wire, 60 bytes captured)

    Arrival Time: Sep  2, 2005 10:06:47.220738000

    Time delta from previous packet: 0.000218000 seconds

    Time since reference or first frame: 0.000218000 seconds

    Frame Number: 2

    Packet Length: 60 bytes

    Capture Length: 60 bytes

    Protocols in frame: eth:ip:udp:data

Ethernet II, Src: 00:50:0b:68:64:1c, Dst: 00:05:32:8f:d4:9e

    Destination: 00:05:32:8f:d4:9e (Cisco_8f:d4:9e)

    Source: 00:50:0b:68:64:1c (Cisco_68:64:1c)

    Type: IP (0x0800)

    Trailer: 0000000000000000000000000000000000

Internet Protocol, Src Addr: 204.202.11.196 (204.202.11.196), Dst Addr:
199.101.11.160 (199.101.11.160)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 29

    Identification: 0x8caa (36010)

    Flags: 0x00

        0... = Reserved bit: Not set

        .0.. = Don't fragment: Not set

        ..0. = More fragments: Not set

    Fragment offset: 0

    Time to live: 51

    Protocol: UDP (0x11)

    Header checksum: 0x4f92 (correct)

    Source: 204.202.11.196 (204.202.11.196)

    Destination: 199.101.11.160 (199.101.11.160)

User Datagram Protocol, Src Port: 3554 (3554), Dst Port: ssh (22)

    Source port: 3554 (3554)

    Destination port: ssh (22)

    Length: 9

    Checksum: 0x1650 (correct)

Data (1 byte)

 

0000  00 05 32 8f d4 9e 00 50 0b 68 64 1c 08 00 45 00   ..2....P.hd...E.

0010  00 1d 8c aa 00 00 33 11 4f 92 cc ca 0b c4 c7 65   ......3.O......e

0020  0b a0 0d e2 00 16 00 09 16 50 30 00 00 00 00 00   .........P0.....

0030  00 00 00 00 00 00 00 00 00 00 00 00               ............




 

 

 

 

Rossella Mariotti-Jones

Network Systems Analyst, CCNA

 

Chemeketa Community College

Information Technology

T 503 589 7775

F 503 399 4898

E rossella at chemeketa.edu

www.chemeketa.edu

More information about the cisco-nsp mailing list