[nsp] BGP sessions drop during DOS and general DOS protections.

Glen Turner glen.turner at aarnet.edu.au
Tue Jul 22 19:13:25 EDT 2003


 > ... It's all about saturation.  If the router can no
> longer handle the interrupts, or the pipe is full, BGP keepalives
> will not make it and the peering session will reset.

You can also use QoS to at least ensure your Hellos hit
the wire ahead of outgoing DoS traffic.  You should hassle
your ISP to do the same (as hopefully the DoS is incoming).

Most ISPs don't have a good QoS architecture (eg: they'll
happily transit packets with DSCP=48 rather than altering
transiting DSCP=48 packets to DSCP=0).  Experiments on
random paths through the Internet show that DSCP=40 traffic
gets about 4* the service of a DSCP=0 packet.  That is,
a lot of ISPs are deploying WFQ without knowing it or
policing access to it.

You should also ensure that any iBGP has suitable layer 3
QoS and layer 2 priority and is preferably carried in an
unreachable control-traffic-only VLAN.

If you nail this, then your BGP should then only do odd
things if all the user-space CPU on your router is starved
(eg: lots of packets taking a slow processor path, perhaps
the DoSer knows this and crafts the packet accordingly, or
perhaps a buffer allocation is needed as the output link
is slower than the ingress link, or perhaps your router
isn't sized for full load).



More information about the cisco-nsp mailing list