[c-nsp] RES: Virtual-Template DOS?

Leonardo Gama Souza leonardo.souza at nec.com.br
Fri Jan 18 15:45:27 EST 2008 

If you are under a DoS attack and figure out that you are receiving too many PADI packets, you can throttle them:

virtual-template 1
sessions per-mac throtlle...

cheers

-----Mensagem original-----
De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Masood Ahmad Shah
Enviada em: sexta-feira, 18 de janeiro de 2008 12:42
Para: 'Duracom Lists'; cisco-nsp at puck.nether.net
Assunto: Re: [c-nsp] Virtual-Template DOS?

There are different types of DoS attack for Cisco PPPoE services. I wonder
you might be getting too many PPPoE sessions from a customer. I suggest you
use debug vpnd things and get the real picture; keeping in mind that  you
know the over heads of using debug commands :) 

Here is something you can do to prevent such PPPoE DoS attacks ....


bba-group pppoe vpn1 
 virtual-template 1 
 sessions per-vc limit 1 (1 max number of vpdn session per-vc)
 sessions per-mac limit 1 ( 1 max number of vpnd session per-mac)

Regards,
Masood Ahmad Shah


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Duracom Lists
Sent: Friday, January 18, 2008 8:08 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Virtual-Template DOS?

I have been terminating DSL on my 7206vxr for quite some time.  My router
began acting sluggish the last couple of days for some odd reason the cpu
was being pegged out.  Below was what was in the logs non stop.  I only have
5 DSL customers terminated to this router.  In order for me to get the CPU
down I had to issue a no vpdn-group 1 to drop all the tunnels?

Cisco Internetwork Operating System Software 
IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(29), RELEASE SOFTWARE
(fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 11-May-05 15:38 by kellmill
Image text-base: 0x60008940, data-base: 0x61314000

ROM: System Bootstrap, Version 12.2(4r)B2, RELEASE SOFTWARE (fc2)
BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.3(6), RELEASE SOFTWARE
(fc3)

Dua-7206 uptime is 11 hours, 14 minutes
System returned to ROM by reload at 21:48:50 CST Thu Jan 17 2008
System restarted at 21:49:52 CST Thu Jan 17 2008
System image file is "slot0:c7200-is-mz.122-29.bin"

cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of
memory.
Processor board ID 21304031
R7000 CPU at 350Mhz, Implementation 39, Rev 3.3, 256KB L2, 4096KB L3 Cache
6 slot VXR midplane, Version 2.1




Jan 18 08:55:40: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to
up
Jan 18 08:55:40: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to
down
Jan 18 08:55:48: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to
up
Jan 18 08:55:49: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to
down
Jan 18 08:55:54: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to
up
Jan 18 08:55:55: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to
down
Jan 18 08:56:02: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to
up
Jan 18 08:56:06: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to
up
Jan 18 08:56:07: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to
down
Jan 18 08:56:11: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to
down
Jan 18 08:56:19: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to
up
Jan 18 08:56:21: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to
down
Jan 18 08:56:25: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to
up
Jan 18 08:56:28: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to
down
Jan 18 08:56:36: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to
up
Jan 18 08:56:37: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to
down
Jan 18 08:56:43: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to
up
Jan 18 08:56:43: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to
down
Jan 18 08:56:51: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to
up
Jan 18 08:56:55: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to
up
Jan 18 08:56:55: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to
down
Jan 18 08:56:59: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to
down
Jan 18 08:57:07: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to
up
Jan 18 08:57:11: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to
up
Jan 18 08:57:12: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to
down
Jan 18 08:57:18: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to
down
Jan 18 08:57:27: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to
up
Jan 18 08:57:29: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to
down
Jan 18 08:57:33: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to
up
Jan 18 08:57:35: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to
down
Jan 18 08:57:43: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to
up
Jan 18 08:57:45: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to
down
Jan 18 08:57:49: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to
up
Jan 18 08:57:49: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to
down
Jan 18 08:57:57: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to
up
Jan 18 08:58:01: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to
up
Jan 18 08:58:03: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to
down
Jan 18 08:58:07: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to
down
Jan 18 08:58:15: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to
up
Jan 18 08:58:19: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to
up
Jan 18 08:58:21: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to
down




Kris 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list