how to calculate tcp syn and icmp rate-limit on internet lines

thorsten.steffen · ‎10-16-2009

Hi,

does anybody know if there exist recommended guidelines how to configure ios rate-limit (parameters bps, normal burst and max burst) for tcp syn and icmp packets on gigabit internet access lines?

Is there also any way to calculate average tcp syns of a given accumulated ip bandwith (e.g. 20Mb/s)?

Best Regards,

Thorsten

Giuseppe Larosa · ‎10-16-2009

Hello Thorsten,

I can answer for ICMP:

usually the rate-limit is placed with strict values so that you can allow a normal ping (still useful in troubleshooting).

you can use the expected RTT you see on ping results to calculate the icmp resulting rate.

In an activity I did some years ago I has allowed 256 kbps for ICMP traffic seeing it was enough.

For TCP syn I don't see a direct relation with offered BW.

A possible tool for defending servers from TCP syn may be TCP intercept.

in security command reference says default value for incomplete TCP sessions for triggering aggressive mode is 1100

see

http://www.cisco.com/en/US/partner/docs/ios/security/command/reference/sec_i3.html#wp1058428

or

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.html#wp1058428

see also config guide for TCP intercept

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_tcp_intercpt_ps6350_TSD_Products_Configuration_Guide_Chapter.html

the limit is that it can load the router.

Hope to help

Giuseppe

Laurent Aubert · ‎10-17-2009

Hi Thorsten,

The following links may help:

http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html

HTH

Laurent.