[nsp] NAT spiking CPU

Streiner, Justin streiner at stargate.net
Mon Sep 8 15:21:58 EDT 2003


On Mon, 8 Sep 2003, Bob Collie wrote:

> We're seeing this same trouble with our network and have not yet found a
> way to limit NAT translations.  What we're seeing specifically is that a
> site with a 2610 where we're running NAT gets infected by one of the
> DDOS attacks (be it ICMP, etc.) and the sheer volume of dynamic,
> outbound NAT translations makes the router unusable.
>
> Has anyone found a way to limit this?  We tried using CAR but it didn't
> make much of a difference when applied against excessive and randomized
> ICMP traffic.

For Blaster/Nachi traffic, I found that judicious use of uRPF worked very
well against infected users that were spewing out lots of tcp/135 and
ICMP echo traffic.  As always, YMMV.

jms


More information about the cisco-nsp mailing list