[c-nsp] DoS tracking on the 6500
Jon Lewis
jlewis at lewis.org
Thu Mar 17 13:52:14 EST 2005
We got hit with a D?DoS attack last night of at least several hundred
mbit/s. Tracking down the src/dest of the attack was complicated by the
fact that we've begun to migrate our internet circuits from 7500s to
6500s.
The 7500 with an OC3 transit was pretty much unusable during the attack,
so I didn't get to look at show ip cache flow on it. The 6500s did much
better (basically no increase in CPU load even though transit FEs were
filled beyond capacity). But, looking at show ip cache flow or show mls
netflow ip, I'd say the data was highly sampled, perhaps only what little
bit was handled by the SUP2 while nearly all traffic is switched by the
MSFC2. Fortunately, I did see a couple of suspiciously large flows even
in the very sparse output and was able to have our upstreams null route
the target.
Is there a way to see the equivalent of show ip cache flow (executed on
the input VIP) from a 7500 on a 6500? Is looking at exported netflow an
(the only?) option?
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list