Network Operators and smurf
CMartin at mercury.balink.com
Sun Apr 26 08:02:25 UTC 1998
I am currently looking into the feature set for this release, as I have
to support SMDS, HSRP, Frame, ATM, and VIP2-50 boards. Hopefully this
will work. Have you heard of any success/failure stories using dCEF on
75xx against these attacks. If so, I'd be interested to hear of them.
I have your paper on my corkboard - very nice.
Just rantin' and ravin'.
>From: Craig A. Huegen [SMTP:chuegen at quadrunner.com]
>Sent: Sunday, April 26, 1998 3:44 AM
>To: Martin, Christian
>Cc: 'nanog at merit.edu'
>Subject: RE: Network Operators and smurf
>On Sun, 26 Apr 1998, Martin, Christian wrote:
>==>network. We are connected upstream at 45Mbps. As the attack
>==>intensified, router CPU Utilization jumped to 99%, and the input queue
>==>on our inbound HSSI was at 75/75. We started dropping packets at a rate
>==>of about 7000/sec. The attacks were coming in from all over the world.
>Have you read the smurf document found at
>I'd be interested to know what version of code you were running.
>I've seen a provider drop over 120 Mbps of smurf traffic in access-lists
>for over an hour and the routers weren't affected one bit.
>IOS CA & CC code 11.1(13.5) and later have a fix to the code which handles
>access-list drops--called "fast drop"--which fixes some inefficiencies in
>***READ*** the document at the URL above. It's amazing how much that URL
>has been advertised, through all the advisories, through the NOCs, etc.,
>but with the ongoing thread over the last few weeks it almost appears that
>a lot of people either haven't heard about it or haven't read it.
>Of course, it's been put into mail messages 9 times on NANOG already:
>chuegen at quad:3:~>grep "quadrunner.com" mail/nanog | grep "smurf" | wc -l
More information about the NANOG