nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re:

From: Jimmy Hess <mysidia () gmail com>
Date: Tue, 21 Aug 2012 21:58:01 -0500
On 8/21/12, Robert E. Seastrom <rs () seastrom com> wrote:

They've already factored wire cutters in; raise the bar.

per-packet load-balancing between default route and null0 could
accomplish that goal.


dispatch ninjas to slip in and secretly replace spmers DSL hardware
with a 300 baud modem?   Modern routers commonly have policing / rate
limiting policy support,    so if wire-cutters weren't good enough,
there are other possible alternatives to finding a slow link to route
spammers to.    the "WANEM"  project also comes to mind

!~
mls qos aggregate-policer  p1_8k  8000  1500 exceed-action drop

ip access-list extended 120
10  permit ip host (BADGUY) any eq 25
20  permit ip any eq 25 host  (BADGUY)
!~
class-map known-spammer
  match access-group 120
policy-map spammerhell
  class known-spammer
    police rate  10  pps burst 1 packets  peak-rate 11  pps
         conform-action set-dscp-transmit 0
         exceed-action drop
         violate-action drop
    !
    police aggregate p1_8k

int vlan 666
rate-limit input access-group 120 8000 1500 2000 conform-action
set-dscp-continue 0
      exceed-action drop
rate-limit output access-group 120 8000 1500 2000 conform-action
set-dscp-continue 0
 exceed-action drop
!~

int   SlowEthernet3/26
   service policy input spammerhell

...
Or whatever equivalent you have

--
-JH
Previous By Date Next
Previous By Thread Next

Current thread: