Ethernet Switches & Routers

Reply
Contributor
Posts: 32
Registered: ‎12-06-2011

Custom rules for UDP flood / DNS amplification attack

Hello,

We are facing little issue with some of the clients servers on FCX and FESX switches. Is there any way to address UDP flood and DNS amplification attack by some custom rules?

If DNS applification or UDP flood goes over 1gig it null route the IP using BGP community.

If there are more than x number of connections to specific ip then it null route the ip or it block the remote ip.

Thank you very much in advance.

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Custom rules for UDP flood / DNS amplification attack

Hi ,

      About the only two ideas I can think of are to use ACL based rate limiting and/or closed loop with IPS (snort box).

     Have not done either in a long time though, and do not have any kit that can do that any more.

     Suggest have a quick look at the config guide (chap 21) Configuring traffic policies  for the rate limiting.

Thanks

Michael.

Contributor
Posts: 32
Registered: ‎12-06-2011

Re: Custom rules for UDP flood / DNS amplification attack

For e.g. this is for icmp and udp

ip icmp burst-normal 5000 burst-max 10000 lockup 300

ip tcp burst-normal 10 burst-max 100 lockup 300

Can anyone tell me how to do the global config like if UDP flood traffic is over 1gig then lockup or null route the local IP for 300 seconds?

Thanks

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Custom rules for UDP flood / DNS amplification attack

Hi ,

     I do not believe their is a way to set a global UDP limit. You can set ACL based rate limits per interface but not globally.

Thanks

Michael.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.