[c-nsp] Safer DDOS drops
Stig Meireles Johansen
stig.johansen at datametrix.no
Sat Apr 9 02:16:05 EDT 2011
FWIW, The "no ip unreachables" has to be configured on your uplinks for it to have any effect in this setting.
/Stig
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Kranz
Sent: 9. april 2011 00:45
To: 'Peter Rathlev'
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Safer DDOS drops
Brandon, Peter, Phil thanks..
I removed 'ip accounting access-violations', used the fragments filter, and changed to ' mls rate-limit unicast ip icmp unreachable acl-drop 0' .. another >5Gbps attack in progress currently, but router CPU is happy and customer still in service.
-peter
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list