[c-nsp] Safer DDOS drops

Peter Kranz pkranz at unwiredltd.com
Fri Apr 8 16:34:50 EDT 2011


I've got it currently at:

"mls rate-limit unicast ip icmp unreachable acl-drop 10 10"

Would the 

" mls rate-limit unicast ip icmp unreachable acl-drop 0" 

Make a difference?

We used the egress rate, since the overall traffic volumes into the router
are much greater than that exiting the port to the customer.. seemed better
to deal with the smaller traffic stream than the entire backhauls worth
(~20Gbps)

-peter



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers
Sent: Friday, April 08, 2011 1:27 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Safer DDOS drops

On 04/08/2011 09:18 PM, Peter Kranz wrote:

>
> Attempted to alleviate the customer port congestion by adding the 
> following to the port (an etherchannel made up of 2 1G ports on a 
> WS-X6516-GBIC)
>
> access-list 101 remark DOS Attack blocker
> access-list 101 deny   udp any host 208.71.159.144
> access-list 101 permit ip any any
>
> ip access-group 101 out
>
> After doing this the router basically froze and died.. only responded 
> to pings sporadically, and its BGP and HSRP sessions all kept flapping 
> until we got in during a lull and removed the access-group. Is there a 
> better way to handle filtering a high volume traffic stream on a 6500 
> that won't kill the rest of the device?

Do you have:

mls rate-limit unicast ip icmp unreachable acl-drop 0

...because if not, the deny ACE will cause some packets to leak to CPU for
ICMP generation, and that might saturate the CPU.

Also, you might be safer having the deny ACL on ingress interfaces rather
than egress.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list