RE: access-list for DDOS attack

Tue, 21 Nov 2000 14:28:40 -0800 

Here is what I use:

I place the following commands under the unprotected interface facing the
Internet. The syntax for the command is as follows:

rate-limit {input | output} [access-group [rate-limit] acl-index] bps
burst-normal burst-max conform-action action exceed-action action

The numbers mean the following:

bps
 Average rate in bits per second. The value must be in increments of
8 kbps. In the example below, 1000000 is the average rate in  bps.

burst-normal
 Normal burst size in bytes. The minimum value is bps divided by 2000. In
the example below, 1500000 is the normal burst size.

burst-max
 Excess burst size in bytes. In the example below, 2000000 is the excess
burst size.


Here is a practical example of how I like to configure rate limits:

! Allow UDP to occupy no more than 2 Mb/s of the pipe.
 rate-limit input access-group 150 1000000 1500000 2000000 conform-action
transmit exceed-action drop
 ! Allow ICMP to occupy no more than 575 Kb/s of the pipe.
 rate-limit input access-group 160 496000 550000 575000 conform-action
transmit exceed-action drop

! Rate limit (CAR) ACLs for UDP and ICMP.
access-list 150 permit udp any any
access-list 160 permit icmp any any

Regards,

David Wolsefer, CCIE #5858

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Yee, Jason
Sent: Monday, November 20, 2000 10:20 PM
To: '[EMAIL PROTECTED]'
Subject: access-list for DDOS attack




hi ,

Anyone knows what the parameter in using CAR to rate limit ICMP packets
means , for example :


interface abc

rate-limit output access-group 200 2000000 512000 786000 transmit
exceed-action drop

access-list 200 permit icmp any any echo-reply



what does the 2000000, 512000, 786000 means ?


thanks

Jason

_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to