[c-nsp] rate limit dns
Mike
mike-cisconsplist at tiedyenetworks.com
Thu Dec 26 22:55:10 EST 2013
Hi,
We occasionally see DDoS directed at our broadband subscribers and
the most popular of these appear to be dns amplification/dns spoof
based. To protect the network we have implemented some rate limiting so
that udp port 53 traffic from any host to our subscribers is limited to
a maximum of 15mbps. This works for our needs, but we'd like to get a
little more specific and exclude our own resolvers from this limit.
Here's what we have currently:
interface GigabitEthernet0/0.xx
encapsulation dot1Q xx
ip address x.x.x.x y.y.y.y
ip flow ingress
ip flow egress
rate-limit input access-group 121 15000000 2812500 5625000
conform-action transmit exceed-action drop
!
access-list 121 permit udp any any eq domain
Can anyone suggest how we might tighten this up and either have a
seperate rate limit list or somehow exclude my small list of resolver
IP's from the above limiting?
Thank you.
Mike
More information about the cisco-nsp
mailing list