Loadsa ICMP...
Edward Henigin
ed at texas.net
Wed Aug 13 19:40:05 UTC 1997
A 7513 with an RSP2 (100Mhz MIPS R4700) can process switch
around 3500 packets/sec, by my unofficial testing. People at cisco
may respond negatively to my post, but I'll refer them to two cases
I opened with TAC, neither of which were able to raise the ceiling
on how many packets can be process switched.
Cisco configuration is aimed towards fast-switching as many
packets as possible. The same box can probably fast switch a couple of
hundered thousand packets/sec or more (I have no idea, I just know it's
a lot) but if you force the box to process switch, YOU WILL KILL IT.
It will start dropping bgp sessions, etc etc, and you're toast.
One way to force a cisco to process switch is by sending
it packets that match an ACL deny.... and this latest round of
'smurfing' will send tens of thousands of packets/sec through your
router..
so access-list filtering is worse than useless, it is
destructive, when combating DoS attacks.
hence the idea of using policy-routing to filter the
smurf-attacks.
realize here that doubling (or tripling, or quadrupling) the
CPU power of the cisco will not help. Upgrading from an rsp2 to an
rsp4 would buy you about 3 times 3.5Kpps, say around 10Kpps, process
switched. That's still hardly enough to save you when you're being
smurfed.
Ed
--
On Wed, Aug 13, 1997 at 02:27:43PM -0500, Jon Green said:
>
> I'm not from a Cisco background, so forgive me, but.. What a strange
> way to configure a router. You have to configure it in a non-intuitive
> way because the intuitive way will blow up the router? I guess we should
> be thankful that IOS lets us get around hardware limitations of the box, but
> someone should really teach Cisco a concept called "SMP". Just an
> observation..
>
> -Jon
More information about the NANOG
mailing list