[c-nsp] Shapping NTP traffic on 6500/7600
Thomas St-Pierre
tstpierre at iweb.com
Wed Feb 26 18:41:45 EST 2014
Hi!
We’ve been seeing a bunch NTP based DDOS’s recently, and are looking for ways to mitigate the harm they’re causing. One option I’m looking at is to police the ntp traffic at our edge interfaces.
Currently we see on average something like 15-20mb of NTP traffic in our AS. I was thinking of policing it to like 50mb at each of our edge/peer interfaces. Normal traffic shouldn’t be affected, and will help avoid saturating our internal links. Unfortunately my QOS is a bit rusty, so I’m hopping to bounce this off others. :)
Here’s the config snippet I’m thinking of using:
----------
ip access-list extended NTP
permit udp any eq ntp any
permit udp any any eq ntp
class-map match-all NTP
match access-group name NTP
policy-map ANTI-DDOS-NTP
class NTP
police 50000000 conform-action transmit exceed-action drop violate-action drop
Interface TenGigabitEthernetX/X
service-policy input ANTI-DDOS-NTP
—————
What I’m most worried of is, are there any hardware limitations we might hit/I should be aware of? We also have a small ACL on the interfaces already (blocking invalid stuff, such as packets with internal ip’s, etc)
I have two platforms I’d need to deploy it on:
6500 with SUP720-3BXL supervisor and X6704-10GE line cards
7600 with RSP720-3CXL-10GE supervisor and X6708-10GE line cards
Any advice would be appreciated :D
Thanks!
Thomas
More information about the cisco-nsp
mailing list