Possible DoS attack (?)

• Previous message (by thread): Possible DoS attack (?)
• Next message (by thread): Routers and DOS Re: Possible DoS attack (?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Clifton D. McKinney" <clift at alltel.net> wrote:

> Is this something that the "no ip directed-broadcast" command
> would prevent?

Nope (unfortunately)...

I think I should clarify what the problem is again, since I've
had a few private emails that suggest that what I originally
wrote was confusing.

The route-cache (fast-switching) speeds up switching by building
a simple lookup table of IP-prefix/output-interface pairs by
doing a routing table lookup (process-switching) for the first
packet it sees that is addressed to any destination prefix.

The problem is that to implement ICMP redirects, Ciscos have
to do process-switching to figure out that the source and
destination addresses are both out of the same interface and
can therefore talk to each other directly (i.e. without
pointlessly bouncing traffic off the router and causing the
same traffic to go over the same network twice, wasting
bandwidth).

This would be fine and dandy if when they sent a redirect,
the host that received it listened to it, and stopped bouncing
traffic off the router, but if it doesn't (either stupidly
or maliciously) then all traffic that is being bounced off
the router has to carry on being process-switching, burning
CPU cycles like it's going out of fashion.

If you turn on 'ip route-cache same-interface' the router
will still send a redirect for the first packet addressed
to a particular prefix that it sees because it has to
process-switch it to figure out what to put in the route-
cache, but after that it will use the cache, and not look
at the source addresses of packets to that destination at
all (try turning on 'debug ip icmp' to see this behaviour).

Whether you use the command or not is a trade-off based on
whether you want redirects to work properly (stopping traffic
being bounced off the router unnecessarily if other hosts
listen to them), or if you would rather not burn CPU when
other hosts don't listen to them and you have to switch the
traffic back out of the same interface anyway.

M.

• Previous message (by thread): Possible DoS attack (?)
• Next message (by thread): Routers and DOS Re: Possible DoS attack (?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]