In case of a DoS (Denial of Service) attack on Netconf, wherein, Netconf
receives numerous requests in a short span of time, the router may become
irresponsive if Netconf consumes most of the bandwidth or CPU processing time.
This can be prevented, by limiting the traffic directed at the Netconf agent.
This is achieved using the
netconf-yang agent rate-limit
netconf-yang agent session
If rate-limit is set, the Netconf processor measures the incoming
traffic from the SSH server. If the incoming traffic exceeds the set
rate-limit, the packets are dropped.
If session-limit is set, the Netconf processor checks for the number of
open sessions. If the number of current sessions is greater than or equal to,
the set limit, no new sessions are opened.
Session idle- timeout and absolute-timeout also prevent DoS attacks. The
Netconf processor closes the sessions, even without user input or intervention,
as soon at the time out session is greater than or equal to the set time limit.
The relevant commands are discussed in detail, in the
Cisco IOS XR System Security Command Reference for the Cisco CRS