Re: Access-List Logging Rate Limit

From: shiran guez (shiranp3@gmail.com)
Date: Thu Jan 24 2008 - 04:48:58 ARST

• Next message: shiran guez: "Re: MQC Bandwidth/Shape options in 3550/3560"
• Previous message: shiran guez: "Re: rmon delat or absolute ?"
• Maybe in reply to: nhatphuc: "Access-List Logging Rate Limit"
• Next in thread: nhatphuc: "Re: Access-List Logging Rate Limit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

http://www.cisco.com/en/US/docs/ios/12_2/qos/command/reference/qrfcmd1.html#wp1017391

I do not think what you are looking for is rate limit as this is more
related to CAR and you do not want to allow the traffic in and slow it, you
just want to reduce the log size.

also I see that you increased the logging interval and update threshold. the
packets are coming to you and you are dropping them already so you cant do
anything else, I had once a problem with an attacker on one of my linux
servers and I had huge logs like more then 40GB and I have traced back to
the ISP that is relaying the attack and he apologized as he was also under
that attack from another source but when he managed to stop it on his side
then it stopped going to my end other then that I could not do anything else
accept clean the logs more often.

usually the problems with this attack are finding the source and stopping
him.

On Jan 23, 2008 7:01 PM, nhatphuc <nhatphuc@gmail.com> wrote:

> Hi Group,
>
> My router is under login attack. There're many logged messages output on
> console:
>
> Jan 23 23:40:43 : %SEC-6-IPACCESSLOGP: list sl_def_acl denied tcp
> 192.248.88.10(36752) -> 0.0.0.0(22), 1 packet
> Jan 23 23:40:44 : %SEC-6-IPACCESSLOGP: list sl_def_acl denied tcp
> 192.248.88.10(37556) -> 0.0.0.0(22), 1 packet
> Jan 23 23:40:46 : %SEC-6-IPACCESSLOGP: list sl_def_acl denied tcp
> 192.248.88.10(37737) -> 0.0.0.0 (22), 1 packet
>
> I've configured rate limit for access-list like this:
>
> ip access-list logging interval 30000
> ip access-list log-update threshold 10000
>
> But there are still many messages outputted. How can I slow it down? And
> how
> to use access-list rate limit feature? I think the parameters I configured
> are rather high but they didn't help.
>
> Thanks
>
> Phuc
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Shiran Guez
MCSE CCNP NCE1
http://cciep3.blogspot.com
http://www.linkedin.com/in/cciep3

• Next message: shiran guez: "Re: MQC Bandwidth/Shape options in 3550/3560"
• Previous message: shiran guez: "Re: rmon delat or absolute ?"
• Maybe in reply to: nhatphuc: "Access-List Logging Rate Limit"
• Next in thread: nhatphuc: "Re: Access-List Logging Rate Limit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:38:01 ARST