Re: [nsp] confusing rate-limit null0-route behaviour

From: Kevin Gannon (kevin@gannons.net)
Date: Sat Aug 19 2000 - 14:58:51 EDT


A cisco SE told me that for at least the loopback software switching is used
and this
is one of the reasons you should make passive and loopback interfaces in
your IGP
configs.

Dont know about the null I would hope this is not the case.

Regards,
Kevin
-----Original Message-----
From: Dave Curado <davec@navipath.com>
To: cisco-nsp@puck.nether.net <cisco-nsp@puck.nether.net>
Date: Saturday, August 19, 2000 4:09 PM
Subject: [nsp] confusing rate-limit null0-route behaviour

>Hello,
>We saw something unusual tonight.
>We were under a smurf attack, and we use (Cathy from @Home's excellent)
rate-limiting
>technique to limit the amount of icmp allowed in to our egress links.
>(Thanks Cathy!)
>
>OK, so the attack was against a specific /32.
>
>If I made a null0 route for that /32, we stopped getting rate-limiting
>matches, and the interface counters through which the traffic was
>coming dropped from near 100% capacity down to "normal" loads.
>
>However, the attack traffic was certainly still coming in, and the
>load remained quite high on the router. Note that the /32 route
>didn't change any announcements we were making.
>
>Remove the null0 route, the interface counters spin up, along with
>the rate-limit counters. Add the route back in, the counters
>drop.
>
>It's as if the router handled traffic into null0 in a specific
>and unusual way. (also tried a route to lo0, which had the
>same effect)
>
>Has anyone seen this before, or perhaps even have a explanation
>for this behaviour?
>
>Many Thanks,
>Dave Curado
>
>
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:15 EDT