[nsp] BGP sessions drop during DOS and general DOS protections.

[joshua sahala]

On Tuesday 22 July 2003 04:43, Glen Turner wrote:
> You can also use QoS to at least ensure your Hellos hit
> the wire ahead of outgoing DoS traffic.  You should hassle
> your ISP to do the same (as hopefully the DoS is incoming).

just be mindful that your router has the horsepower to do the policing 
when under attack - i have a 7513 that croaked under the load of an 
attack (actually it was the vip that croaked first - but prior to, 
the vip4-80 was averaging 40-60% utilization, so i was asking for 
it...i am now running a vip6-80 and my cpu load on the vip has 
dropped to about 15-20%).
but then i probably wouldn't suggest my company's architectural or qos 
models, so you can take this with a grain of salt.

[cut]
> If you nail this, then your BGP should then only do odd
> things if all the user-space CPU on your router is starved
> (eg: lots of packets taking a slow processor path, perhaps
> the DoSer knows this and crafts the packet accordingly, or
> perhaps a buffer allocation is needed as the output link
> is slower than the ingress link, or perhaps your router
> isn't sized for full load).

i think that that is their goal ;)

going back to rob's post, the secure[ios|bgp] templates are full of 
good suggestions...and i will personally attest (as will many others) 
that they work.  most of the attacks aimed at me (or my downstreams) 
were garden variety syn and icmp attacks - spoofed, distributed 
sources, mostly small packets, high pps, etc.  rate-limiting syn and 
icmp traffic seems to have helped, and although 'controversial', 
bogon filtering has probably saved me more than i know.  

my thanks to rob and team cymru :-)

/joshua
-- 
What difference does it make to the dead, the orphans, and the 
homeless, whether the mad destruction is brought under the name of 
totalitarianism or the holy name of liberty and democracy?

 - Gandhi -