Hello,
We saw something unusual tonight.
We were under a smurf attack, and we use (Cathy from @Home's excellent) rate-limiting
technique to limit the amount of icmp allowed in to our egress links.
(Thanks Cathy!)
OK, so the attack was against a specific /32.
If I made a null0 route for that /32, we stopped getting rate-limiting
matches, and the interface counters through which the traffic was
coming dropped from near 100% capacity down to "normal" loads.
However, the attack traffic was certainly still coming in, and the
load remained quite high on the router. Note that the /32 route
didn't change any announcements we were making.
Remove the null0 route, the interface counters spin up, along with
the rate-limit counters. Add the route back in, the counters
drop.
It's as if the router handled traffic into null0 in a specific
and unusual way. (also tried a route to lo0, which had the
same effect)
Has anyone seen this before, or perhaps even have a explanation
for this behaviour?
Many Thanks,
Dave Curado
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:15 EDT