[c-nsp] 6500 under DDoS

[Stephen J. Wilcox]

what supervisor/msfc do you have? do you have cef enabled?

can you show ip int gix/x and send the output? also sh proc cpu | e 0.00

can you show the config of the ingress and egress interface for this attack.. 
i'm particularly interested in what acls you have have

Steve

On Tue, 27 Jul 2004, Blaz Zupan wrote:

> One of our larger customers has a 6500 as their border router. They are often
> the target of DDoS attacks. I am shocked at how their 6500 behaves under the
> attacks. For example, today we had a rather small attack aimed at a single IP
> address and the latency through their 6500 jumped through the roof (2000 ms or
> more) and a bit later even dropped the BGP session to us.
> 
> Our connection to them is 1GB/s, so that's not the problem. At one point the
> traffic going to them was less than 25Mbps and 7000 pps, while the latency was
> still at 2500 ms. I tried blocking the attacking /24's on our Juniper border
> routers - there were many origins, so I only blocked the largest ones. The
> latency was still high even after blocking most of them.  Only after I blocked
> the attacked destination address (a single cable broadband user), the
> situation immediately normalized. Normal traffic towards them is around 30000
> pps and about 150 Mbps.
> 
> Does anybody have an idea, what could be upsetting a 6500 so much, that it
> can't even carry 7000 pps and 20 Mbps of traffic without 2000 ms latency
> through a gigabit link???
> 
> The only data I know about the 6500 is that it has a Sup720, but I don't know
> anything about the cards or IOS or even which 6500 model it is (although I can
> probably find out).
> 
> Most important question: how could one misconfigure their 6500 (hardware or
> software wise) to be *so* sensitive to DoS attacks?
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>