Cisco Cisco ASR 5700
Firewall-and-NAT Policy Configuration Mode Commands
firewall flooding ▀
Command Line Interface Reference, StarOS Release 17 ▄
5061
Usage
Use this command to configure the maximum number of ICMP, TCP-SYN, / UDP packets allowed to prevent
the packet flooding attacks to the host.
the packet flooding attacks to the host.
Example
The following command ensures a subscriber will not receive more than
1000
ICMP packets per sampling
interval:
firewall flooding protocol icmp packet limit 1000
The following command ensures a subscriber will not receive more than
1000
UDP packets per sampling
interval on different 5-tuples. That is, if an attacker is sending lot of UDP packets on different ports or using
different spoofed IP addresses, those packets will be limited to 1000 packets per sampling interval. This way
only “suspected” malicious packets are limited and not “legitimate” packets.
different spoofed IP addresses, those packets will be limited to 1000 packets per sampling interval. This way
only “suspected” malicious packets are limited and not “legitimate” packets.
firewall flooding protocol udp packet limit 1000
The following command ensures a subscriber will not receive more than
1000
TCP-Syn packets per sampling
interval:
firewall flooding protocol tcp-syn packet limit 1000
The following command specifies a flooding sampling interval of
1
second:
firewall flooding sampling-interval 1