Cisco 1605 Access List Entry Limits

As a temporary measure until we can get a proper solution to SMTP dictionary
attacks, I'm looking at using our border router (a Cisco 1605) to block SMTP
from hosts attacking our SMTP. The following is what it reports for memory:

8192K bytes of DRAM onboard
4096K bytes of processor board PCMCIA flash (Read/Write)

How many access-list entries can I reasonably put on the outside (ethernet0)
interface, and what is the best way to dynamically update the access list in
question (I'm looking at updates every four or five minutes).

 

I'm not sure who much more memory it would take, but I would guess not
too much..Your problem may be 1) running out of NVRAM if the ACL gets
too big, 2) CPU goes up chugging through the large ACL on a 1600
platform, 3) After you modify the ACL so many times, it may become
useless.

We've had cases where on a 7500 running 12.1x code, the ACL became
confused and allowed everything. This after updating the ACL twice a
week for about a year.

--

hsb

"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
********************************************************************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
********************************************************************

 

More careful analysis of the logs indicates that if I could block somewhere
between 50-200 IPs, with updates every five minutes or so, this might be far
more effective. Does the update frequency and max of around 200 IPs sound
doable?

 

To be honest your easiest way to do this kind of blocking, assuming you just
want to blackhole the hosts entirely, would be to get a Linux/xBSD box on
the internal network running Zebra or Bird - routing daemon of some
description and have it talk BGP/OSPF/whatever routing protocol that isn't
classful to the 1605.

Then to blackhole an attacking IP you just add a route on the Linux box
which will propogate to the 1605 and effectively blackhole the attacker.

No config changes needed on the 1605 whatsoever and any frequency of updates
for the block list you want is achievable.

P.

 

DOn't know. We don't use 1600's too much so I don't know what affect
it will have if you add a 200 line ACL. But I think you're asking the
router to do something it was not designed to do.


--

hsb

"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
********************************************************************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
********************************************************************

 

Actually I've changed my strategy a bit. I think I can get away with no
more than 30 or 40 (and usually about 10) entries in the ACL, but will need
to update it every few minutes. Is that doable?

 

That is certainly doable.

--

hsb

"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
********************************************************************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
********************************************************************