[c-nsp] Safer DDOS drops

Peter Kranz pkranz at unwiredltd.com
Fri Apr 8 16:36:42 EDT 2011


It is configured Lukasz..

interface Port-channel2
ip address xxxx
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip flow ingress
speed nonegotiate
 mls netflow sampling

mls rate limits in place currently..

mls rate-limit unicast ip icmp unreachable acl-drop 10 10

What are your recommended changes?

-peter

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Lukasz Bromirski
Sent: Friday, April 08, 2011 1:28 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Safer DDOS drops

On 2011-04-08 22:18, Peter Kranz wrote:
> So today one of our customers was being hit with a DDOS attack with 
> the following signature; basically a bunch of UDP junk of about 5 Gbps 
> in volume..
> The device facing the customer is a 6500 with a Sup720-3BXL running 
> 12.2(33)SXI3..
> Attempted to alleviate the customer port congestion by adding the 
> following to the port (an etherchannel made up of 2 1G ports on a 
> WS-X6516-GBIC) access-list 101 remark DOS Attack blocker
> access-list 101 deny   udp any host 208.71.159.144
> access-list 101 permit ip any any
> ip access-group 101 out

Let me guess - the 'no ip unreachables' wasn't configured, and you didn't
have mls rate-limits nor CoPP configured?

-- 
"There's no sense in being precise when |               Łukasz Bromirski
  you don't know what you're talking     |      jid:lbromirski at jabber.org
  about."               John von Neumann |    http://lukasz.bromirski.net
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list