WERAracer
asked on
Attacks eating T1, what can I do
Our T1 was saturated today and we were being attacked. I checked the logs of our ASA and saw hundreds of the below.
How do we prevent something like this? Our firewall is doing the job, do we have to get the ISP involved?
How do we prevent something like this? Our firewall is doing the job, do we have to get the ISP involved?
SL_COMCAST_ASA %ASA-3-710003: TCP access denied by ACL from 116**.167.139/2083 to outside:75.***.11.191/23
Another comment: I do this with UDP and ICMP traffic today to be cautionary. However, my configuration advise is limited to Cisco routers. Whose router do you have?
ASKER
There is a cisco 2621xm in front of the pix. Is there a way to limit this in the router? isn't it still affecting us since it hits the link between CE and PE
thanks
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
great, thanks jesper. Can I use this with any port? I apply it in the outside interface of my router? This won't affect or limit other traffic?
Yes, you can use it with any port. With traffic inside the network, I usually use QoS (classes, policys and apply them on the outbound side).
This particular rate-limit command goes on your internet facing connection. And no, there is an explicit deny with Cisco ACLs, so if it's not permitted, it's denied and if it's denied, it is not affected by the rate limiting.
If you want to use rate-limiting with Cisco L2/L3 switches, you have to use QoS in combination with srr-queue and bandwidth commands.
This particular rate-limit command goes on your internet facing connection. And no, there is an explicit deny with Cisco ACLs, so if it's not permitted, it's denied and if it's denied, it is not affected by the rate limiting.
If you want to use rate-limiting with Cisco L2/L3 switches, you have to use QoS in combination with srr-queue and bandwidth commands.
However, in your case, this is leaving you in denial of service mode. If you can make the changes at your end (on the router) and it alleviates the saturation issue, that is where I would start.