[c-nsp] Safer DDOS drops

Stig Meireles Johansen stig.johansen at datametrix.no
Sat Apr 9 02:16:05 EDT 2011


FWIW, The "no ip unreachables" has to be configured on your uplinks for it to have any effect in this setting.

/Stig

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Kranz
Sent: 9. april 2011 00:45
To: 'Peter Rathlev'
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Safer DDOS drops

Brandon, Peter, Phil thanks..

I removed 'ip accounting access-violations', used the fragments filter, and changed to ' mls rate-limit unicast ip icmp unreachable acl-drop 0' .. another >5Gbps attack in progress currently, but router CPU is happy and customer still in service.

-peter




_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list