[c-nsp] Safer DDOS drops
Peter Kranz
pkranz at unwiredltd.com
Fri Apr 8 16:36:42 EDT 2011
It is configured Lukasz..
interface Port-channel2
ip address xxxx
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip flow ingress
speed nonegotiate
mls netflow sampling
mls rate limits in place currently..
mls rate-limit unicast ip icmp unreachable acl-drop 10 10
What are your recommended changes?
-peter
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Lukasz Bromirski
Sent: Friday, April 08, 2011 1:28 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Safer DDOS drops
On 2011-04-08 22:18, Peter Kranz wrote:
> So today one of our customers was being hit with a DDOS attack with
> the following signature; basically a bunch of UDP junk of about 5 Gbps
> in volume..
> The device facing the customer is a 6500 with a Sup720-3BXL running
> 12.2(33)SXI3..
> Attempted to alleviate the customer port congestion by adding the
> following to the port (an etherchannel made up of 2 1G ports on a
> WS-X6516-GBIC) access-list 101 remark DOS Attack blocker
> access-list 101 deny udp any host 208.71.159.144
> access-list 101 permit ip any any
> ip access-group 101 out
Let me guess - the 'no ip unreachables' wasn't configured, and you didn't
have mls rate-limits nor CoPP configured?
--
"There's no sense in being precise when | Łukasz Bromirski
you don't know what you're talking | jid:lbromirski at jabber.org
about." John von Neumann | http://lukasz.bromirski.net
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list