[c-nsp] 7x00 routers that survive

Rubens Kuhl Jr. rubens at email.com
Mon Aug 30 13:38:00 EDT 2004



> > A FE link can carry 148800pps simplex, twice as much full-duplex. A
Juniper
> > reference says an ATM STM-1 can carry 300 kpps of 40 bytes packets; I'm
> > willing to bet that attacks will come only from inside or outside, not
both
> > sides... so if NPE-G1 can handle 630kpps of attack packets, it would fit
the
> > "2 OC-3" scenario. What kind of attack packets have you sent to the
router
> > with Smartbits ?
>
> Unfortunately an STM-1 link has considerably lower overhead than FE.
> My calculation is:
>
> STM-1 payload capacity (available for IP + L2 encap): 149.76 Mbps.
> HDLC/PPP overhead: 8 byte, minimum size IP packet: 20 byte. Thus:

Juniper calculations were for 40 byte packets, one-way.

> I'm willing to be corrected on the numbers above, but I believe it is
> correct. Remember that a DDoS attack doesn't need to have a UDP or TCP
> header - IP alone will do just fine.

As long as the packet can be routed... if a packet can only be locally
generated, it's not a DDoS risk. If such a 20 bytes IP packet is routed at
most routers, then there is a real chance they hit you.

> I used a Smartbit with GE ports to generate the traffic. As mentioned
> above, Ethernet overhead is higher - so it's possible you could get
> better numbers when testing with a real STM-1. However, I don't really
> believe so - because the Smartbits testing showed that the highest pps
> numbers for the NPE-G1 were *not* at minimum sized Ethernet packets
> (64 bytes) but much closer to 128 bytes.

Hummmm... bad sign.

Results so far: NPE-G1 (7200 or 7301) required for 1 OC-3.

Rubens




More information about the cisco-nsp mailing list