Configuring the MSDP Active Source Limit
A router interested in MSDP messages, such as an RP, might have to process a large number of MSDP messages, especially source-active messages, arriving from other routers. Because of the potential need for a router to examine, process, and create state tables for many MSDP packets, there is a possibility of an MSDP-based DoS attack on a router running MSDP. To minimize this possibility, you can configure the router to limit the number of source active messages the router accepts. Also, you can configure a threshold for applying random early discard (RED) to drop some but not all MSDP active source messages.
By default, the router accepts 25,000 source active messages before ignoring the rest to prevent a possible DoS attack. The limit can be from 1 through 1,000,000. The limit is applied to both the number of messages and the number of MSDP peers. By default, the router accepts 24,000 source-active messages before applying the RED profile to prevent a possible DoS attack. This number can also range from 1 through 1,000,000. The next 1,000 messages are screened by the RED profile and the accepted messages processed.
To configure the MSDP active source limit on the router, include the active-source-limit statement:
For a list of the hierarchy levels at which you can include this statement, see the statement summary section for this statement.
 | Note: The router ignores source-active messages with encapsulated TCP packets. Multicast does not use TCP; segments inside source-active messages are most likely the result of worm activity. |
The number configured for the threshold must be less than the number configured for the maximum number of active MSDP sources.
You can configure an active source limit at several levels of the MSDP hierarchy:
Configuring Global, Group, and Peer Active Source Limit
You can configure an active source limit globally, for a group, or for a peer. If active source limits are configured at multiple levels of the hierarchy, all are applied.
The following example applies a limit of 5,000 active sources to MSDP peer 10.0.0.1, a limit of 7,500 active sources to MSDP peer 10.10.10.10 in group MSDP-group, and a limit of 10,000 active sources to all others.
Configuring Per-Source Active Source Limit
You can configure an active source limit for an address range as well as for a specific peer. A per-source active source limit uses an IP prefix and prefix length instead of a specific address. You can configure more than one per-source active source limit. The longest match determines the limit.
In this example, the source 10.1.1.1 is allowed active sources for 10,000 groups. Any other source on the 10.1.0.0/16 network is allowed 500 groups. All other sources are allowed to source 5 active streams.
Per-source active source limits can be combined with active source limits at the peer, group, and global (instance) hierarchy level. Per-source limits are applied before any other type of active source limit. Limits are tested in the following order:
- Per-source
- Per-peer or group
- Per-instance
An active source message must “pass” all limits established before being accepted. For example, if a source is configured with an active source limit of 10,000 active multicast groups and the instance is configured with a limit of 5,000 (and there are no other sources or limits configured), only 5,000 active source messages are accepted from this source.
