[c-nsp] 6500 under DDoS

[Jared Mauch]

On Tue, Jul 27, 2004 at 08:29:35PM +0200, Blaz Zupan wrote:
> One of our larger customers has a 6500 as their border router. They are often
> the target of DDoS attacks. I am shocked at how their 6500 behaves under the
> attacks. For example, today we had a rather small attack aimed at a single IP
> address and the latency through their 6500 jumped through the roof (2000 ms or
> more) and a bit later even dropped the BGP session to us.
> 
> Our connection to them is 1GB/s, so that's not the problem. At one point the
> traffic going to them was less than 25Mbps and 7000 pps, while the latency was
> still at 2500 ms. I tried blocking the attacking /24's on our Juniper border
> routers - there were many origins, so I only blocked the largest ones. The
> latency was still high even after blocking most of them.  Only after I blocked
> the attacked destination address (a single cable broadband user), the
> situation immediately normalized. Normal traffic towards them is around 30000
> pps and about 150 Mbps.
> 
> Does anybody have an idea, what could be upsetting a 6500 so much, that it
> can't even carry 7000 pps and 20 Mbps of traffic without 2000 ms latency
> through a gigabit link???
> 
> The only data I know about the 6500 is that it has a Sup720, but I don't know
> anything about the cards or IOS or even which 6500 model it is (although I can
> probably find out).
> 
> Most important question: how could one misconfigure their 6500 (hardware or
> software wise) to be *so* sensitive to DoS attacks?

	They want to have their uplink to you on the sup720 module, since
it's distributed.  That will help..

	it should be in either slot5 or slot6.

	- jared


-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.