[c-nsp] rate limit dns

Mike mike-cisconsplist at tiedyenetworks.com
Fri Jan 3 08:24:09 EST 2014


On 01/03/2014 01:45 AM, Gert Doering wrote:
> If there is no attack, rate-limiting won't kick in. This wasn't about 
> "rate-limit to 10pps" but to "less than 10Mbit/s" - which you just 
> won't see under normal circumstances, if you exclude well-known local 
> recursives plus well-known remote recursive from the rate-limiting.


Exactly my point and the reason why I brought this thread up.

We had another such incident tonight, throwing over 700mbps at us. My 
router stood up, my filter kicked in, the network continued functioning. 
Someone here pointed out a flaw in my original access-list which didn't 
catch everything I thought it did and now with that fixed under this 
latest incident I think the results pretty clearly are that this seems 
to be a reasonable step. The open question now for me is what level of 
granularity do I really want to implement?

I have been looking at MCQ documentation to learn how I might implement 
a better policy than one-queue-or-rate-limit-fits-all and as it applies 
to my situation (broadband provider / pppoe subscribers). Some of the 
comments here are helpful - I agree it's likely I could have a short 
list of known good resolvers that don't need to be rate limited, and of 
the unknown ones its likely I could have perhaps a per-user qos to 
ensure a subscriber has some minimum guaranteed bandwidth for dns to any 
destination. Globally I also of course would likely set a global 
catch-all to rate limit traffic not caught by the customer qos limits to 
something like 15mbps total. What I don't know here is what exactly is 
supported on my router (7201 with 12.2(33)-sre7) nor what the net effect 
on my router is likely to be for > 1000 pppoe sessions if I did 
something like this. While I was at it, if I had to have some kind of 
qos set up for users, prioritizing dns is likely a good step in any 
event but Im sure there are others as well. Perhaps I might like to also 
prioritize sip over http over unclassified bulk traffic?

I just dont have a good handle on how to attack this or what these 
traffic classes / policies would actually look like just yet. Does 
anyone else do this that could post a config snippet?

Mike-




More information about the cisco-nsp mailing list