IPSEC VPNs capable of handling worm traffic
gmaxwell at martin.fl.us
Thu Nov 20 02:16:07 UTC 2003
On Thu, 20 Nov 2003, Magnus Eriksson wrote:
> The last 2 days I've been fighting against the Nachi ICMP onslaght on a
> customer network.
> Problem is that the "random" destination traffic seem to kill my VPNs by
> vendor N. CPU is consumed, probably due to trying to maintain/update
> route cache. Or maybe it hits it's pps limit.
> Ordinary traffic req. is approx. 10 Mbit/s mixed traffic.
> Worm traffic I would like to be able to handle is approx 2-3kpps.
> Anyone know of any VPN boxes/routers with VPN capability that is better
> able to handle the onslaught? Is vendors C's boxes better than Nortel's?
> Is CEF going to help me? Or is the problem pps related?
> Will it help to throw a bigger box at the problem?
> Any advice greatly appreciated.
I have a bunch of Linux/FreeSwan systems acting as site to site IPSEC
gateways, IPtables firewalling, no connection tracking... At one point I
had at least three infected sites and no problems. YMMV.
In my testing my 1.mumble gHz PIII based boxes can saturate 100mbit while
using AES. Anyone using a Linux system as a router with large (ahem bigger
than /25!) subnets should be sure to adjust the neighbor table thresholds
to avoid scanning triggered problems.
More information about the NANOG