No subject
Jimmy Hess
mysidia at gmail.com
Wed Aug 22 02:58:01 UTC 2012
On 8/21/12, Robert E. Seastrom <rs at seastrom.com> wrote:
>> They've already factored wire cutters in; raise the bar.
> per-packet load-balancing between default route and null0 could
> accomplish that goal.
dispatch ninjas to slip in and secretly replace spmers DSL hardware
with a 300 baud modem? Modern routers commonly have policing / rate
limiting policy support, so if wire-cutters weren't good enough,
there are other possible alternatives to finding a slow link to route
spammers to. the "WANEM" project also comes to mind
!~
mls qos aggregate-policer p1_8k 8000 1500 exceed-action drop
ip access-list extended 120
10 permit ip host (BADGUY) any eq 25
20 permit ip any eq 25 host (BADGUY)
!~
class-map known-spammer
match access-group 120
policy-map spammerhell
class known-spammer
police rate 10 pps burst 1 packets peak-rate 11 pps
conform-action set-dscp-transmit 0
exceed-action drop
violate-action drop
!
police aggregate p1_8k
int vlan 666
rate-limit input access-group 120 8000 1500 2000 conform-action
set-dscp-continue 0
exceed-action drop
rate-limit output access-group 120 8000 1500 2000 conform-action
set-dscp-continue 0
exceed-action drop
!~
int SlowEthernet3/26
service policy input spammerhell
...
Or whatever equivalent you have
--
-JH
More information about the NANOG
mailing list