[c-nsp] 6500 under DDoS
Steve Francis
sfrancis at fastclick.com
Tue Jul 27 15:30:56 EDT 2004
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Blaz Zupan
> Sent: Tuesday, July 27, 2004 11:30 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] 6500 under DDoS
>
> One of our larger customers has a 6500 as their border
> router.
> At one point the traffic going to them was less than 25Mbps
> and 7000 pps, while the latency was still at 2500 ms.
>
> Most important question: how could one misconfigure their
> 6500 (hardware or software wise) to be *so* sensitive to DoS attacks?
They must have done something clever to cause it to behave that badly.
In my tests, I could not get a reasonably configured 6500 to get at all
perturbed under (almost) any DoS I could throw at it (with a Sup
II/MSFC2, but I expect the 720 to be even better). (Exception being the
hole in the ACL that allowed the peer's BGP session. That allows a
slight window of attack, but there are things for that, too...)
I would guess they are doing something that causes CPU routing of the
traffic.
Lots of things do this, like:
- policy based routing using one of the set clauses not done hardware
- MTU rewrites
- IOS server load balancing
- ACLs that exceed the TCAM resources
Etc etc
More information about the cisco-nsp
mailing list