[c-nsp] Shapping NTP traffic on 6500/7600
Thomas St-Pierre
tstpierre at iweb.com
Wed Feb 26 20:01:14 EST 2014
On 2/26/2014, 7:48 PM, "Dobbins, Roland" <rdobbins at arbor.net> wrote:
>
>On Feb 27, 2014, at 6:41 AM, Thomas St-Pierre <tstpierre at iweb.com> wrote:
>
>> Normal traffic shouldn¹t be affected,
>
>It will be crowded out during an attack.
I can live with this :) If ntp is down for a bit the servers will continue
living. Their clocks shouldn¹t drift that much between the time the DDOS
starts and when we¹ve null-routed the ip (using remotely triggered
null-routes for our upstreams as well :) )
>
>I don't know if you've the ability to match on packet size or not in
>hardware for QoS - if so, UDP/123 packets which *aren't* 76 bytes in
>length is a good classifier, as it leaves timesync ntp traffic alone and
>squelches everything else.
I admit I didn¹t check the 7600 platform, but the 6500 doesn¹t seem to
support it. I can create the config, but when I apply it to the interface
it says that the interface doesn¹t support matching on length :(
Thanks!
>
>-----------------------------------------------------------------------
>Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
> Luck is the residue of opportunity and design.
>
> -- John Milton
>
>
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list