NAP/ISP Saturation WAS: Re: Exchanges that matter...

Alex.Bligh amb at xara.net
Fri Dec 20 22:00:24 UTC 1996


> I think that there's some lack of clarity on the problem here.  Anyone can
> stream packets at ANY router and take it down.  If it's not ICMP, you can
> simply forge routing protocol packets.  It's a question of simply
> supersaturating the system.  To truly deal with DoS attacks, there are
> basically three approaches:

Indeed. For instance SYN-flood the BGP port.
 
> 1) Throw money at the problem.  Build a big box that has enough processor
> to deal with the incoming bandwidth for pessimal packets.  Even then, the
> bad guys can simply supersaturate the incoming bandwidth.
> 
> 2) Deal with it statistically.  For example, most folks for the recent syn
> attacks will drop syns if they don't complete reasonably, thereby allowing
> some percentage of real traffic to get through.
> 
> 3) Deal with it legally.  This is what the telco's do.  It implies that we
> would need real mechanisms for tracking down offenders.

Can I have 2(a) - deal with it statistically and intelligently. TCP/IP
stacks which have got far greater public flak than Cisco's (Solaris 2.4
for instance) do not die when sent 128kb/s of ICMP. As I understand it
11.1 allows access lists based on icmp packet type, and this filtering
is already done off CPU. So "all" the CPU has to do is block ICMPs
from particular hosts, or (even) ICMP at all, if it is being flooded.

> As to what cisco will do, you should probably ask cisco.

I did. They said "the problem doesn't exist". I am circulating the problem
(before, like SYN flods, it becomes a serious operational problem) to those
with larger annual Cisco spend than me.

Background to bug: We discovered this when we had 2 telco lines running
in parallel and wanted to check the performance of one from a host behind
one router, and had no hosts of our own behind the other router. Naively
we thought pinging the other (NAP) router would be a good test with our
stochastic bandwidth modeling tool, which is based on ICMP. Rather an
unpleasant thing happened to our transit. Just wait until someone decides
you should measure your ISPs performance by running
  ping -s 1000 mae-east.sprintlink.net
(8kb/s). Now get 16 people doing it at once, and ...

Alex Bligh
Xara Networks








More information about the NANOG mailing list