DOS attack tracing
Chris Ranch
CRanch at Affinity.com
Tue May 10 15:47:05 UTC 2005
On Monday, May 09, 2005 5:49 PM, Richard wrote:
> >
> > On Mon, May 09, 2005 at 01:35:06PM -1000, Richard wrote:
> >
> > > We recently experienced several DOS attacks which drove
> > > our backbone routers CPU to 100%. The routers are not
> > > under attack, but the router just couldn't handle the
> > > traffic. There is a plan to upgrade these routers.
> >
> > What kind of routers? We had problems like this with Cisco
> > 7206VXRs with NPE-300s at my last job because they just
> > couldn't handle the high volume of packets-per-second from
> > certain types of attack.
>
> Oh... I guess that it would a known issue then... we have the
> exactly same type of routers. Our routers normally run at 35%
> CPU. What sucks is that the traffic volume doesn't have to be
> very high to bring down the router.
Yes, the 7206vxr with whatever processor really checks out when under
any kind of real flood through it. It's big brother, the 7304-NSE100
does as well. But the 7304-NPE100 with the PXF can forward that (d)DoS
very well. Even with fairly extensive ingress filters. The kick in the
head is that the processors are the same price. I don't know why they
even sell the NPE100...
Then you can take whatever measures you like to characterize and
mitigate. A combination of upstream null routing (poisoning
communities), ingress filters, core null routing, and your favorite ddos
mitigation equipment filtering has been very effective for us.
Chris
--------------------------------
Chris Ranch
Director of Network Architecture
Affinity Internet, Inc.
More information about the NANOG
mailing list