Router car speed limit policy

DOS prevention: Denial of Service (DoS) is a widely used method by hackers. It exclusively occupies network resources and prevents normal access from other hosts, as a result, the network is paralyzed. We can use the car speed limit policy on the Access Router to defend against this problem.

DoSWebsites are one of the most terrible threats. DOS is a widely used method by hackers. It monopolizes network resources and prevents other hosts from accessing normally, resulting in network paralysis.VroUseCarSpeed limit policy to achieve the purpose of resisting.

Denial of Service (DoS) is short for denialofservice. DOS is called DOS, which aims to make the computer or network unable to provide normal services. An important feature of DOS is that there are a large number of ICMP packets with invalid source addresses in the network. We can set the speed limit by configuring the car for the ICMP packet on the router.

Car Working Mechanism

A car is short for committedaccessrate. It indicates the guaranteed access rate. A car has two main functions: the inbound and outbound traffic rates of a port or sub-port (subintece) are limited by a certain standard; traffic is classified to different QoS priorities. A car can only work on an IP packet, but not on a non-IP traffic. A car can only be used on a vro or vswitch that supports the CEF Exchange (ciscoexpressforward.

To control the traffic, we must first identify the packet classification and then control the traffic (accessratelimiting). Car is the combination of the two. Its workflow 1 is shown in.

First, we need to define the traffic of interest. The so-called traffic of interest is the data packet type for traffic control. You can use the following methods to identify traffic:

(1) Based on the IP prefix, which is defined by rate-limitaccesslist.

(2) QoS groups.

(3) ipaccesslist, which can be defined by standard or extendedaccesslist.

After using the above method, the traffic in step 2 (trafficlimitation) is implemented ). Car uses a tokenbucket mechanism to limit traffic (2 ).

The bandwidth usage of the throttling using the tokenbucket algorithm traffic flow. When each inbound frame arrives, it is added to the tokenbucket. Every 0.25 milliseconds (1/4000 seconds), the CIR (committedinformationrate, promised information rate) or the average traffic limiting rate is subtracted from the tokenbucket. In this case, keep the tokenbucket equal to 0 to stabilize the data rate.

The throttling allows traffic rate bursts to exceed the average rate. The quality between the tokenbucket increase to the burst value (in bytes) level is a valid burst, which is also called in-profiletraffic ). When the tokenbucket size exceeds the burst value, the throttling considers the traffic to be "too large. In this case, we can define a PIR (peakinformationrate, peak information rate ).

When the traffic exceeds the maximum burst value to reach Pir, the throttling considers the traffic to be in violation. This type of traffic is also called out-of-profiletraffic ). Therefore, when the actual traffic passes through the tokenbucket, you can see that there are two situations:

(1) The actual traffic is less than or equal to the desired rate. The actual rate at which the frame leaves the bucket is the same as the rate at which it comes. The bucket can be regarded as empty. The traffic does not exceed the expected value.

(2) The actual traffic exceeds the expected rate. The rate at which a frame enters a bucket is faster than the rate at which it leaves the bucket. In this way, within a period of time, the frame will fill the bucket, and the next frame will overflow (excess) the bucket, then the car takes the corresponding action (generally discard or change its IP prefix to change the priority of the token ). In this way, the data traffic rate is within the user-defined desired value.

CAR Configuration

We usually configure the car on the edge router of the network. CAR Configuration mainly includes the following parts:

1. Determine the "interested" traffic type, that is, the traffic we need to monitor, mainly through the following methods:

(1) Based on the IP prefix, which is defined by rate-limitaccesslist.

(2) QoS-based grouping.

(3) Based on the MAC address.

(4) ipaccesslist based on standard or extended.

2. Configure rate-limit on the corresponding Port:

The general statement is:

 
 

  
  
interfaceX  
  
  
 
  
  
rate-limit{inputoutput}[access-groupnumber]bpsburst-normalburst-maxconform-  
  
  
 
  
  
actionactionexceed-actionaction 
 
 

The preceding command indicates:

Interface: the port you want to control the traffic. It can be an Ethernet port or a serial port. However, different types of interfaces vary in the input and output ports.

InputOutput: Determine the traffic to be restricted. If the Ethernet port is configured, the traffic is output. If the port is configured on serial, the traffic is input.

Access-groupnumber: number is the accesslist number that defines the traffic with accesslist.

BPS: the maximum rate of the traffic you want. The unit is bps.

Burst-normalburst-MAX: the size of the tokenbucket. Generally, these values are 8000, 16000, and 32000, depending on the BPS value.

Conform-Action: The processing policy that limits the following traffic at a rate.

Exceed-Action: The processing policy for traffic exceeding the rate limit.

Action: processing policy, including the following:

1. Transmit: transmission.

2. Drop: discard.

3. setprecedenceandtransmit: Modify the IP prefix and transmit it.

4. setqosgroupandtransmit: route the traffic to a qosgroup for transmission.

5. Continue: no action. check whether there are traffic matching and processing policies in the next rate-limit command. If not, transmit.

6. setprecedenceandcontinue: Modify the IP prefix and then continue.

7. setqosgroupandcontinue: Select qosgroup and then continue.

Car Application

In addition to limiting the traffic rate, car can also be used to defend against DoS attacks. For example, Smurf attacks make the network flood with a large number of ICMP attacks with illegal source addresses, occupying network resources. We can set the speed limit for ICMP packets on the router by configuring the car to protect the network (3 ).

Figure 3

Configuration on the VBR of the client:

 
 

  
  
interfaces0rate-limitinputaccess-group20030000008000080000  
  
  
 
  
  
conform-actiontransmitexceed-actiondrop 
 
 

Here we define the ICMP packet traffic at 3 Mbps, And the tokenbucket size is 8000 bytes.

Access-list200permiticmpanyanyecho-reply

In this way, we can limit the forwarding rate and size of ICMP packets to a certain extent to reduce the damage to the network and host.

To effectively use the car speed limit policy, we need to clarify the principle of DoS attacks so that we can take corresponding preventive measures against different types of DoS attacks.