Loadsa ICMP...

Edward Henigin ed at texas.net
Wed Aug 13 19:40:05 UTC 1997


	A 7513 with an RSP2 (100Mhz MIPS R4700) can process switch
around 3500 packets/sec, by my unofficial testing.  People at cisco
may respond negatively to my post, but I'll refer them to two cases
I opened with TAC, neither of which were able to raise the ceiling
on how many packets can be process switched.

	Cisco configuration is aimed towards fast-switching as many
packets as possible.  The same box can probably fast switch a couple of
hundered thousand packets/sec or more (I have no idea, I just know it's
a lot) but if you force the box to process switch, YOU WILL KILL IT.
It will start dropping bgp sessions, etc etc, and you're toast.

	One way to force a cisco to process switch is by sending
it packets that match an ACL deny....  and this latest round of
'smurfing' will send tens of thousands of packets/sec through your
router..

	so access-list filtering is worse than useless, it is
destructive, when combating DoS attacks.

	hence the idea of using policy-routing to filter the
smurf-attacks.


	realize here that doubling (or tripling, or quadrupling) the
CPU power of the cisco will not help.  Upgrading from an rsp2 to an
rsp4 would buy you about 3 times 3.5Kpps, say around 10Kpps, process
switched.  That's still hardly enough to save you when you're being
smurfed.

	Ed

--
On Wed, Aug 13, 1997 at 02:27:43PM -0500, Jon Green said:
> 
> I'm not from a Cisco background, so forgive me, but.. What a strange
> way to configure a router.  You have to configure it in a non-intuitive
> way because the intuitive way will blow up the router?  I guess we should
> be thankful that IOS lets us get around hardware limitations of the box, but
> someone should really teach Cisco a concept called "SMP".  Just an
> observation..
> 
> -Jon



More information about the NANOG mailing list