Re: Rate limiting TCP syn attack

Hi Sonu,

Thanks for your reply. Just want to confirm how was this Bc and Be value
derived if we have CIR = 500000
As far as I know we use formula :- CIR/32

=> Bc = 500000/32 = 16000 (Approx.)

Please suggest if I am assuming something wrong here.

Thanks & Regards,
Gaurav.

On Wed, Jul 28, 2010 at 7:44 PM, Sonu Khandelwal (sokhande) <
sokhande_at_cisco.com> wrote:

> Hi,
> It gets automatically converted to 496000 even if we give 500000 as cir.
>
> R2(config)#int gi0/1
> R2(config-if)#rate-limit input 500000 1500 2000 conform-action transmit
> exceed-action drop
>
> R2#sh run int gi0/1
> Building configuration...
>
> Current configuration : 339 bytes
> !
> interface GigabitEthernet0/1
> rate-limit input 496000 1500 2000 conform-action transmit exceed-action
> drop
> End
>
> I think this is some kind of limitation with this kind of config, I
> think we should configure 500000 as cir. BTW in case of policing bc and
> be are in bytes and not in bits hence assuming 4000 bytes as bc might
> not make it 500000 (policing rate).
>
> Just my 2c.
>
> Thanks,
> Sonu
>
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Alexei Monastyrnyi
> Sent: Wednesday, July 28, 2010 6:50 PM
> To: Gaurav Thukral
> Cc: Group study
> Subject: Re: Rate limiting TCP syn attack
>
> Guarav,
> I would guess their train of though being average rate + normal burst,
> 496000 + 4000 is 500000. The fishy part is that average rate is in bits
> and bursts are in bytes...
>
> HTH
> A.
>
> On 7/28/2010 11:10 PM, Gaurav Thukral wrote:
> > Hi experts
> >
> > I came accross one following question while practicing for my security
> > section of CCIE SP :-
> >
> > Recently monitoring of your web server on VLAN 5 has shown an
> inordinate
> > amount of half open TCP se ssions, possibly indicating a DoS attack.
> In
> > order to reduce the load on the server while the possibility of attack
> is
> > investigated configure R5 to that TCP requests sent to this server are
> > limited to a maximum of 500Kbps.
> >
> > Following is the solution given for this.
> >
> > ANS:
> >
> > interface Ethernet0/1
> > rate-limit output access-group 192 *496000 *4000 4000 conform-action
> > transmit exceed-action drop
> > !
> > access-list 192 permit tcp any 173.1.5.0 0.0.0.255 eq www syn
> >
> >
> > According to me in this case CIR should be 500000 as question says
> "maximum
> > of 500" and accordingly Bc and Be should be calculated. Not sure how
> Bc and
> > Be value is taken here. Can someone please explain this. ?
> >
> > Thanks& Regards,
> > Gaurav.
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 28 2010 - 23:03:06 ART