[c-nsp] front-end box to protect wimpy Cisco router from DoS?
Adrian Chadd
adrian at creative.net.au
Fri May 11 21:16:49 EDT 2007
On Fri, May 11, 2007, Ed Ravin wrote:
> I don't recall the exact numbers, but I remember that even a mere 20-30 Mb
> of traffic in short packets would send the 7200 begging for mercy. I don't
> need to screen out all potential attacks, but I do need the ability to
> screen out any particular attack as soon as we detect it so we can get
> our traffic rolling again.
Thats "only" what, 300,000 odd pps? That'll make your NPE-225 melt.
There were some PPS numbers posted recently for straight routing, no features,
of various Free UNIXes, I'm trying to dig up the URL. FreeBSD-4 topped out
at 900,000 pps; others hovered around 500,000 pps if I remember.
http://www.tancsa.com/blast.html
(It'd be a fun project to take something like DFBSD or FreeBSD-4, optimise the
heck out of the forwarding path and stick management on another CPU. But then,
this is cisco-nsp, not ghetto-router-nsp.)
Adrian
More information about the cisco-nsp
mailing list