RE: Rate limiting TCP syn attack from Sonu Khandelwal (sokhande) on 2010-07-28 (Ccielab archives 07/2010)

From: Sonu Khandelwal (sokhande) <sokhande_at_cisco.com>
Date: Wed, 28 Jul 2010 19:44:39 +0530

Hi,
It gets automatically converted to 496000 even if we give 500000 as cir.

R2(config)#int gi0/1
R2(config-if)#rate-limit input 500000 1500 2000 conform-action transmit
exceed-action drop

R2#sh run int gi0/1
Building configuration...

Current configuration : 339 bytes
!
interface GigabitEthernet0/1
rate-limit input 496000 1500 2000 conform-action transmit exceed-action
drop
End

I think this is some kind of limitation with this kind of config, I
think we should configure 500000 as cir. BTW in case of policing bc and
be are in bytes and not in bits hence assuming 4000 bytes as bc might
not make it 500000 (policing rate).

Just my 2c.

Thanks,
Sonu

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Alexei Monastyrnyi
Sent: Wednesday, July 28, 2010 6:50 PM
To: Gaurav Thukral
Cc: Group study
Subject: Re: Rate limiting TCP syn attack

Guarav,
I would guess their train of though being average rate + normal burst,
496000 + 4000 is 500000. The fishy part is that average rate is in bits
and bursts are in bytes...

HTH
A.

On 7/28/2010 11:10 PM, Gaurav Thukral wrote:
> Hi experts
>
> I came accross one following question while practicing for my security
> section of CCIE SP :-
>
> Recently monitoring of your web server on VLAN 5 has shown an
inordinate
> amount of half open TCP se ssions, possibly indicating a DoS attack.
In
> order to reduce the load on the server while the possibility of attack
is
> investigated configure R5 to that TCP requests sent to this server are
> limited to a maximum of 500Kbps.
>
> Following is the solution given for this.
>
> ANS:
>
> interface Ethernet0/1
> rate-limit output access-group 192 *496000 *4000 4000 conform-action
> transmit exceed-action drop
> !
> access-list 192 permit tcp any 173.1.5.0 0.0.0.255 eq www syn
>
>
> According to me in this case CIR should be 500000 as question says
"maximum
> of 500" and accordingly Bc and Be should be calculated. Not sure how
Bc and
> Be value is taken here. Can someone please explain this. ?
>
> Thanks& Regards,
> Gaurav.
>
>
> Blogs and organic groups at http://www.ccie.net
>
>
Received on Wed Jul 28 2010 - 19:44:39 ART

This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 19:19:15 ART