[c-nsp] Safer DDOS drops
Phil Mayers
p.mayers at imperial.ac.uk
Fri Apr 8 16:26:37 EDT 2011
On 04/08/2011 09:18 PM, Peter Kranz wrote:
>
> Attempted to alleviate the customer port congestion by adding the following
> to the port (an etherchannel made up of 2 1G ports on a WS-X6516-GBIC)
>
> access-list 101 remark DOS Attack blocker
> access-list 101 deny udp any host 208.71.159.144
> access-list 101 permit ip any any
>
> ip access-group 101 out
>
> After doing this the router basically froze and died.. only responded to
> pings sporadically, and its BGP and HSRP sessions all kept flapping until we
> got in during a lull and removed the access-group. Is there a better way to
> handle filtering a high volume traffic stream on a 6500 that won't kill the
> rest of the device?
Do you have:
mls rate-limit unicast ip icmp unreachable acl-drop 0
...because if not, the deny ACE will cause some packets to leak to CPU
for ICMP generation, and that might saturate the CPU.
Also, you might be safer having the deny ACL on ingress interfaces
rather than egress.
More information about the cisco-nsp
mailing list