[c-nsp] 7x00 routers that survive

sthaug at nethelp.no sthaug at nethelp.no
Mon Aug 30 15:14:59 EDT 2004


> Juniper calculations were for 40 byte packets, one-way.
> 
> > I'm willing to be corrected on the numbers above, but I believe it is
> > correct. Remember that a DDoS attack doesn't need to have a UDP or TCP
> > header - IP alone will do just fine.
> 
> As long as the packet can be routed... if a packet can only be locally
> generated, it's not a DDoS risk. If such a 20 bytes IP packet is routed at
> most routers, then there is a real chance they hit you.

Why do you believe a 20 byte IP packet would not be routed?

> > I used a Smartbit with GE ports to generate the traffic. As mentioned
> > above, Ethernet overhead is higher - so it's possible you could get
> > better numbers when testing with a real STM-1. However, I don't really
> > believe so - because the Smartbits testing showed that the highest pps
> > numbers for the NPE-G1 were *not* at minimum sized Ethernet packets
> > (64 bytes) but much closer to 128 bytes.
> 
> Hummmm... bad sign.
> 
> Results so far: NPE-G1 (7200 or 7301) required for 1 OC-3.

It depends on what you prepare for. To handle really heavy DDoS attacks
(Gbps/Mpps or more) there seems no doubt that you need hardware based
forwarding. If you only have an STM-1 or two, NPE-G1 may well be enough
since you rarely receive *only* minimum sized attack traffic.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no


More information about the cisco-nsp mailing list