[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring the MSDP Active Source Limit

A router interested in MSDP messages, such as an RP, might have to process a large number of MSDP messages, especially source-active messages, arriving from other routers. Because of the potential need for a router to examine, process, and create state tables for many MSDP packets, there is a possibility of an MSDP-based DoS attack on a router running MSDP. To minimize this possibility, you can configure the router to limit the number of source active messages the router accepts. Also, you can configure a threshold for applying random early discard (RED) to drop some but not all MSDP active source messages.

By default, the router accepts 25,000 source active messages before ignoring the rest to prevent a possible DoS attack. The limit can be from 1 through 1,000,000. The limit is applied to both the number of messages and the number of MSDP peers. By default, the router accepts 24,000 source-active messages before applying the RED profile to prevent a possible DoS attack. This number can also range from 1 through 1,000,000. The next 1,000 messages are screened by the RED profile and the accepted messages processed.

To configure the MSDP active source limit on the router, include the active-source-limit statement:




active-source-limit {

maximum number; 

threshold number; 
}

For a list of the hierarchy levels at which you can include this statement, see the statement summary section for this statement.

Note: The router ignores source-active messages with encapsulated TCP packets. Multicast does not use TCP; segments inside source-active messages are most likely the result of worm activity.

The number configured for the threshold should be less than the number configured for the maximum number of active MSDP sources.

You can configure an active source limit at several levels of the MSDP hierarchy:

[Contents] [Prev] [Next] [Index] [Report an Error]