On Wed, Dec 01, 1999 at 10:25:59PM +0000, Peter Fitchett wrote:
> Hi
>
> This might be common knowledge, but I think its worth mentioning.
>
> 1. If you run large access lists, your router may be vulnerable to a DOS attack.
>
> 2. Your router might also be vulnerable if you route networks to the null0 interface.
>
>
> A site I am involved with had a server syn flooded on random ports with random source addresses. The pps rate was quite high (in the order of 20K pps)
> indicating that it may have been a Tribe attack.
>
> The server sits behind a 7500 fast eth interface with a 250 rule access list. The 7500 is running 11.1.28.1CC with RSP4 and VIP2-50's
>
> CPU normally peaks at 60% (10min), but shot up to 100% during the attack, neighbors started bouncing and it was good night nurse.
>
> In simulating the attack, CPU is unaffected without the access list.
>
> We also found that CPU increased significantly when the destination was routed to null due to the ingress interface process switching packets to the
> null interface. In testing this we found that the router is process switching to null through some interfaces and fast switching to null through
> others, even though identical switching methodologies were configured as reported by a show ip int.
a) Try 12.0(6)S+ w/access-list compiled, big improvement for large acl
b) Filter high PPS attacks up front and preferably on the inbound int
c) CEF helps high pps a lot
d) rate-limit actually gives better performance then straight-up acl on
something like syn floods, at least on a 7206vxr
e) 20kpps is by no means a sizeable attack
f) vip's choke badly dealing with high pps attacks, a 7206vxr w/npe300 is
your best bet short of a gsr if you need to stop them
-- Richard A Steenbergen <ras@above.net> http://users.quadrunner.com/humble PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB) AboveNet Communications - AboveSecure Network Security Engineer, Vienna VA
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:08 EDT