Home page logo
/

nanog logo nanog mailing list archives

Re:
From: Jimmy Hess <mysidia () gmail com>
Date: Tue, 21 Aug 2012 21:58:01 -0500

On 8/21/12, Robert E. Seastrom <rs () seastrom com> wrote:
They've already factored wire cutters in; raise the bar.
per-packet load-balancing between default route and null0 could
accomplish that goal.

dispatch ninjas to slip in and secretly replace spmers DSL hardware
with a 300 baud modem?   Modern routers commonly have policing / rate
limiting policy support,    so if wire-cutters weren't good enough,
there are other possible alternatives to finding a slow link to route
spammers to.    the "WANEM"  project also comes to mind

!~
mls qos aggregate-policer  p1_8k  8000  1500 exceed-action drop

ip access-list extended 120
10  permit ip host (BADGUY) any eq 25
20  permit ip any eq 25 host  (BADGUY)
!~
class-map known-spammer
  match access-group 120
policy-map spammerhell
  class known-spammer
    police rate  10  pps burst 1 packets  peak-rate 11  pps
         conform-action set-dscp-transmit 0
         exceed-action drop
         violate-action drop
    !
    police aggregate p1_8k

int vlan 666
rate-limit input access-group 120 8000 1500 2000 conform-action
set-dscp-continue 0
      exceed-action drop
rate-limit output access-group 120 8000 1500 2000 conform-action
set-dscp-continue 0
 exceed-action drop
!~

int   SlowEthernet3/26
   service policy input spammerhell

...
Or whatever equivalent you have

--
-JH


  By Date           By Thread  

Current thread:
  • Re: Jimmy Hess (Aug 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault