RE: DOS Question

From: Wright, Jeremy (JA_WRIGHT@xxxxxxxxxxxx)
Date: Tue May 28 2002 - 17:57:12 GMT-3

• Next message: Troy Rader: "Re: CCIE# 9369"
• Previous message: Jaime Rita: "Re: DOS Question"
• Maybe in reply to: Wright, Jeremy: "DOS Question"
• Next in thread: Rthugo1@xxxxxxx: "Re: DOS Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
i read all of those before i posted this. i think i might have to go with
some type of rate limiting. i have 2 3640's with a total of 4 t1's for
internet(2 on each). if 1.1.1.1, 2.2.2.1, 3.3.3.1, and 4.4.4.1 are the
addresses of my links, what would be a good rate limit for udp? ive read the
"using CAR during DOS attacks" on cisco's site but im having trouble
determining the proper rate limit for the particular interfaces..ie:

access-list 101 icmp any any echo
access-list 101 icmp any any echo-reply

int s0/0
rate-limit input access-group 102 256000 yada yada yada

yada being the numbers i dont know. obviously this applies to icmp and am
interested on what to use for udp with my 4 t1's. thanks for the info

-----Original Message-----
From: Jaime Rita [mailto:jarita@cisco.com]
Sent: Tuesday, May 28, 2002 3:36 PM
To: Wright, Jeremy; 'ccielab@groupstudy.com'
Cc: 'security@groupstudy.com'
Subject: Re: DOS Question

Not sure there's such a thing as a "best" ACL ... some places to start (you
are probably aware of all these but nevertheless)

http://www.cisco.com/warp/public/779/largeent/issues/security/safe.html

http://www.cisco.com/warp/public/707/newsflash.html

http://www.cisco.com/warp/customer/110/32.html

http://www.cisco.com/warp/public/707/22.html

http://www.cisco.com/warp/public/cc/pd/si/11000/prodlit/cswsc_wi.htm

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm

http://www.cisco.com/warp/public/707/21.html

At 03:00 PM 5/28/2002 -0500, Wright, Jeremy wrote:
>does anyone have a sample ACL restricting DOS, specifically udp. i have
seen
>a lot of variations but i am having trouble narrowing it down to something
>standard and go from there. i obviously want normal internet traffic to
stay
>and communicate with our web servers but deny udp dos or scans in general.
>what would be the best acl? tia.
>
>
>
>
>
>
>
>
>
>
>************************
> Jeremy Wright
> Network Analyst
> Archer Daniels Midland
> ja_wright@admworld.com
> (217)451-4063
>
>************************

• Next message: Troy Rader: "Re: CCIE# 9369"
• Previous message: Jaime Rita: "Re: DOS Question"
• Maybe in reply to: Wright, Jeremy: "DOS Question"
• Next in thread: Rthugo1@xxxxxxx: "Re: DOS Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:59:11 GMT-3