asked on

Attacks eating T1, what can I do

Our T1 was saturated today and we were being attacked. I checked the logs of our ASA and saw hundreds of the below.

How do we prevent something like this? Our firewall is doing the job, do we have to get the ISP involved?

SL_COMCAST_ASA %ASA-3-710003: TCP access denied by ACL from 116**.167.139/2083 to outside:75.***.11.191/23

Open in new window

Jan Bacher

If the ASA is doing its job and the T1 were not saturated, then I would leave it alone.

However, in your case, this is leaving you in denial of service mode. If you can make the changes at your end (on the router) and it alleviates the saturation issue, that is where I would start.

Jan Bacher

Another comment: I do this with UDP and ICMP traffic today to be cautionary. However, my configuration advise is limited to Cisco routers. Whose router do you have?

WERAracer

ASKER

There is a cisco 2621xm in front of the pix. Is there a way to limit this in the router? isn't it still affecting us since it hits the link between CE and PE

thanks

ASKER CERTIFIED SOLUTION

Jan Bacher

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

WERAracer

ASKER

great, thanks jesper. Can I use this with any port? I apply it in the outside interface of my router? This won't affect or limit other traffic?

Jan Bacher

Yes, you can use it with any port. With traffic inside the network, I usually use QoS (classes, policys and apply them on the outbound side).

This particular rate-limit command goes on your internet facing connection. And no, there is an explicit deny with Cisco ACLs, so if it's not permitted, it's denied and if it's denied, it is not affected by the rate limiting.

If you want to use rate-limiting with Cisco L2/L3 switches, you have to use QoS in combination with srr-queue and bandwidth commands.