06-04-2012 07:08 AM - edited 03-11-2019 04:15 PM
Hi All,
We are trying to implement the ZBF on our router to assist us in limiting the intial impact of DDOS attacks.
We have configured the below and it appears that it's not working, as when un der attack the statistics don't increae.
Any assistance would be greatly appreciated:
parameter-map type inspect global
session total 99000
alert on
per-box tcp syn-flood limit 2000
per-box max-incomplete tcp 2000
per-box max-incomplete udp 500
per-box max-incomplete icmp 500
class-map type inspect match-any ddos-class
match protocol tcp
match protocol UDP
match protocol icmp
parameter-map type inspect global
policy-map type inspect ddos-fw
class type inspect ddos-class
inspect
class class-default
drop
zone security public
zone security private
zone-pair security public2private source public destination private
service-policy type inspect ddos-fw
int GigabitEthernet0/0/1
zone-member security public
int GigabitEthernet0/2/0
zone-member security private
Thanks.
Jack.
06-04-2012 10:17 AM
Just curious, should u put the policy-map to the public2self zone-pair to limit DOS attack?
06-04-2012 01:17 PM
Shuai Yu: I guess it depends on what you are trying to achive, maybe they have a http-server of something...
jackwikiski: Your parameter-maps confuses me because they don't have a name? Or is it because they are global so you don't need a name?
Anyway, try this:
parameter-map type inspect ANTI-DDOS_PARMAP
session total 99000
alert on
per-box tcp syn-flood limit 2000
per-box max-incomplete tcp 2000
per-box max-incomplete udp 500
per-box max-incomplete icmp 500
policy-map type inspect ddos-fw
class type inspect ddos-class
inspect ANTI-DDOS_PARMAP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide