[c-nsp] DNS amplification

Phil Mayers p.mayers at imperial.ac.uk
Mon Mar 18 09:12:58 EDT 2013


On 18/03/13 12:51, Phil Mayers wrote:
> On 18/03/13 12:04, Dobbins, Roland wrote:
>>
>> On Mar 18, 2013, at 6:01 PM, Phil Mayers wrote:
>>
>>> I'm not hugely sure what QoS has to do with BCP 38, but ACL- and
>>> RPF-dropped flows have output interface of 0 on sup720, IME.
>>
>> Only for punted traffic.  Traffic dropped in hardware never makes it
>> into the mls table.
>
> Really? You sure about that? In that case, what is "mls exclude
> acl-deny" for?
>

Ah wait, looks like you're right for packets dropped by uRPF - the flows 
I see have TCP flags present, which of course the hw doesn't generate on 
that platform. So those are flows from the "leaked" uRPF fails.

Don't have any current ACLs which are being hit, so can't verify for those.


More information about the cisco-nsp mailing list