09-08-2013 12:57 AM
We are facing little issue with some of the clients servers on FCX and FESX switches. Is there any way to address UDP flood and DNS amplification attack by some custom rules?
If DNS applification or UDP flood goes over 1gig it null route the IP using BGP community.
If there are more than x number of connections to specific ip then it null route the ip or it block the remote ip.
Thank you very much in advance.
09-09-2013 04:44 AM
About the only two ideas I can think of are to use ACL based rate limiting and/or closed loop with IPS (snort box).
Have not done either in a long time though, and do not have any kit that can do that any more.
Suggest have a quick look at the config guide (chap 21) Configuring traffic policies for the rate limiting.
09-10-2013 05:38 AM
For e.g. this is for icmp and udp
ip icmp burst-normal 5000 burst-max 10000 lockup 300
ip tcp burst-normal 10 burst-max 100 lockup 300
Can anyone tell me how to do the global config like if UDP flood traffic is over 1gig then lockup or null route the local IP for 300 seconds?
09-10-2013 06:07 AM
I do not believe their is a way to set a global UDP limit. You can set ACL based rate limits per interface but not globally.