ICANN Targets DDoS Attacks
Jared Mauch
jared at puck.Nether.net
Tue Oct 29 21:40:32 UTC 2002
On Tue, Oct 29, 2002 at 04:31:50PM -0500, Jared Mauch wrote:
> On Tue, Oct 29, 2002 at 01:24:11PM -0800, Dan Lockwood wrote:
> > Would anyone be willing to post an operational example of CAR for ICMP.
> > I would like to see what others are doing to combat the problem.
> >
> > Dan
> >
>
> rate-limit input access-group 2000 1536000 200000 200000 conform-action transmit exceed-action drop
>
>
> access-list 2000 permit icmp any any echo
> access-list 2000 permit icmp any any echo-reply
>
>
> POS0/1 <peer interface>
> Input
> matches: access-group 2000
> params: 1536000 bps, 200000 limit, 200000 extended limit
> conformed 96374566 packets, 19474M bytes; action: transmit
> exceeded 16609350 packets, 1446M bytes; action: drop
> last packet: 28ms ago, current burst: 0 bytes
> last cleared 7w5d ago, conformed 33230 bps, exceeded 2467 bps
> POS0/2 <peer interface>
> Input
> matches: access-group 2000
> params: 1536000 bps, 200000 limit, 200000 extended limit
> conformed 37773899 packets, 6325M bytes; action: transmit
> exceeded 5222953 packets, 399165438 bytes; action: drop
> last packet: 52ms ago, current burst: 0 bytes
> last cleared 7w5d ago, conformed 10794 bps, exceeded 681 bps
>
> As you can see by looking at your 'current burst'
> information, you can find out if there is an active attack/exceeding.
>
> These rates are typically quite low as you can see.
here is a juniper example:
firewall {
filter icmp-car-ge-6-1-0 {
policer echo-reply-ge-6-1-0 {
if-exceeding {
bandwidth-limit 2250000;
burst-size-limit 256k;
}
then discard;
}
term icmp-echo-reply {
from {
protocol icmp;
icmp-type [ echo-request echo-reply ];
}
then {
count echo-reply-ct-ge-6-1-0;
policer echo-reply-ge-6-1-0;
accept;
}
}
term remainder {
then accept;
}
}
}
You need to do per-interface buckets on juniper otherwise
it will do an overall aggregate.
You then would also set a input (or output) filter on
the interface to match the firewall filter.
eg:
# show interfaces ge-6/1/0
description "Exchange Interface";
link-mode full-duplex;
unit 0 {
family inet {
no-redirects;
filter {
input icmp-car-ge-6-1-0;
}
address 10.1.2.3/24 {
primary;
}
}
}
-- snip --
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the NANOG
mailing list