[c-nsp] 6500 under DDoS

Blaz Zupan blaz at inlimbo.org
Tue Jul 27 14:29:35 EDT 2004


One of our larger customers has a 6500 as their border router. They are often
the target of DDoS attacks. I am shocked at how their 6500 behaves under the
attacks. For example, today we had a rather small attack aimed at a single IP
address and the latency through their 6500 jumped through the roof (2000 ms or
more) and a bit later even dropped the BGP session to us.

Our connection to them is 1GB/s, so that's not the problem. At one point the
traffic going to them was less than 25Mbps and 7000 pps, while the latency was
still at 2500 ms. I tried blocking the attacking /24's on our Juniper border
routers - there were many origins, so I only blocked the largest ones. The
latency was still high even after blocking most of them.  Only after I blocked
the attacked destination address (a single cable broadband user), the
situation immediately normalized. Normal traffic towards them is around 30000
pps and about 150 Mbps.

Does anybody have an idea, what could be upsetting a 6500 so much, that it
can't even carry 7000 pps and 20 Mbps of traffic without 2000 ms latency
through a gigabit link???

The only data I know about the 6500 is that it has a Sup720, but I don't know
anything about the cards or IOS or even which 6500 model it is (although I can
probably find out).

Most important question: how could one misconfigure their 6500 (hardware or
software wise) to be *so* sensitive to DoS attacks?


More information about the cisco-nsp mailing list