[unisog] Blocking inbound Internet traffic

Arnold, Jamie harnold at binghamton.edu
Thu May 8 23:10:26 GMT 2003

We're doing something similar in that we shut down the port of the offender.
This triggers another process that then pages us to alert that the port is
down.  I like the idea of not shutting the port down and instead rate
limiting it.



-----Original Message-----
From: Johan M. Andersen [mailto:johan at columbia.edu] 
Sent: Thursday, May 08, 2003 2:41 PM
To: Arnold, Jamie
Cc: Sara Smollett; unisog at sans.org

> I'd be very interested in seeing what you've done with Cisco.  We're 
> primarily Cisco and I have played with the netflow stuff somewhat.

The netflow stuff is great :) First get a collector set up to gather the
netflow information for the outgoing links that you want to restrict the
usage of. We had this already just to do measurement, graphing, etc. We then
wrote a moudle that went through these files and accumulated data
transferred per IP in our ranges to IP's outside. We keep this data in an
Oracle database, but postgres or mysql would work jsut as well. This module
outputs a list of IP's that violate a definable quota (expressed in bytes
allowed over a period of time). The netflow collector outputs this file once
every five minutes. Once the file hits the disk, a separate process munges
it into a basic cisco access list that matches those IP's, and installs it
on the border router. On that router, the interface has the statement

int POS2/1
 service-policy input quota-in

The policy map looks like:

policy-map quota-in
  class quota-in
     police 5000000 10000 10000 conform-action transmit exceed-action drop

Finally, the class map it refers to is just

class-map match-any p2p-in
  match access-group 121

Where access-group 121 is the access list that gets installed every 5
minutes. Everyone who goes over their quota has to share the same 5 Mbps
pipe for uploads. A similar system would work for downloads, or a combined
in/out quota.


More information about the unisog mailing list