[c-nsp] Re: 6500 under DDoS

Virgil virgil at webcentral.com.au
Tue Jul 27 20:02:43 EDT 2004


> - weird features turned on (policy based routing, NBAR)

Here's an excerpt from an email about 12.2S on 7200s.


> The implementation of NBAR in 12.2s is badly broken with respect
> to fragmented packets.  Its easy to bring an NPE-G1 to it's knees
> without really trying very hard.  NBAR was reimplemented for
> 12.3T and our tests show that it doesn't have the same problems.


The same piece of code is present in 12.1E/12.2SX which means
that SUP1/SUP2/SUP720 are all effected as well.  A little laptop
with a PCMCIA ethernet card can nuke a SUP720 with replayed
UDP frags.

> > Interface X
> >  ip nbar protocol-discovery
> > Be careful about cpu usage.

The difference between nbar protocol-discovery off and on, on a 7301 
running 12.2(18)S is 9 -> 11% CPU and 20 -> 100% CPU.  Traffic was 
300Mbits, +25Mbits UDP frags.

Wasn't until the UDP frags came along that it was really unhappy.

Regards,

Virgil

-- 
WebCentral Pty Ltd           Australia's #1 Internet Web Hosting Company
Level 6, 100 Wickham St.                 Infrastructure Projects Manager
PO Box 930, Fortitude Valley.            email: virgil at webcentral.com.au
Queensland, Australia 4006.                       phone: +61 7 3230 7332



More information about the cisco-nsp mailing list