DOS?

Iljitsch van Beijnum iljitsch at muada.com
Sun Jan 26 08:45:45 UTC 2003


On Sat, 25 Jan 2003, Jack Bates wrote:

> > I think today's events show that CPU-based routers have no business
> > handling anything more than 1 x 100 Mbps in and 1 x 100 Mbps out. If a
> > box has 40 FE interfaces or 4 GE interfaces, at some point you'll see 4
> > Gbps coming in so the box must be able to handle it to some usable
> > degree.

> Actually, you wouldn't expect to see 4 Gbps comming in.

You wouldn't expect it, but it simply happens anyway.

> That would be full
> saturation, which would imply serious performance degregation. Most networks
> that I've dealt with stick to a 70-80% saturation rule.

Unfortunately worms (or denial of service attackers) don't play nice.

> In addition, many of
> the problems concerning this traffic weren't throughput issues. Each router
> has a bandwidth limitation and a pps limitation. The worst DDOS I've had to
> deal with didn't even show as a bandwidth spike on my circuits but exceeded
> the pps of the router.

That's my point: if you can exceed the router's pps while staying within
the aggregate bandwidth for all ports on the box, you'll find yourself
in trouble at some point.

> Luckily, such attacks are easily dealt with using
> access-lists as the router is optimized to block more pps than it is
> designed to switch. This worm had both.

First of all, I don't want to have to install a filter to make a router
usable again. Second, this one was easy to filter. We can't count on
always being that lucky.

> circuit depended on how well it dealt with the loading as different L2
> protocols handle saturation differently. ATM is the ideal medium as the
> latency remains lower than FE or GE at peak saturation.

??? Latency is strictly a function of the average queue size, which is a
function of the number of bits coming in vs the number of bits going out
per unit of time.

Iljitsch van Beijnum




More information about the NANOG mailing list