[c-nsp] 6500 under DDoS

[rwcrowe at comcast.net]

A Sup720 should easily handle this traffic. Are you seeing any errors on your port going to them ? Is there anyway you can paste your port config and maybe theirs ?


--
Rob Crowe 
rwcrowe at comcast.net


-------------- Original message -------------- 

> One of our larger customers has a 6500 as their border router. They are often 
> the target of DDoS attacks. I am shocked at how their 6500 behaves under the 
> attacks. For example, today we had a rather small attack aimed at a single IP 
> address and the latency through their 6500 jumped through the roof (2000 ms or 
> more) and a bit later even dropped the BGP session to us. 
> 
> Our connection to them is 1GB/s, so that's not the problem. At one point the 
> traffic going to them was less than 25Mbps and 7000 pps, while the latency was 
> still at 2500 ms. I tried blocking the attacking /24's on our Juniper border 
> routers - there were many origins, so I only blocked the largest ones. The 
> latency was still high even after blocking most of them. Only after I blocked 
> the attacked destination address (a single cable broadband user), the 
> situation immediately normalized. Normal traffic towards them is around 30000 
> pps and about 150 Mbps. 
> 
> Does anybody have an idea, what could be upsetting a 6500 so much, that it 
> can't even carry 7000 pps and 20 Mbps of traffic without 2000 ms latency 
> through a gigabit link??? 
> 
> The only data I know about the 6500 is that it has a Sup720, but I don't know 
> anything about the cards or IOS or even which 6500 model it is (although I can 
> probably find out). 
> 
> Most important question: how could one misconfigure their 6500 (hardware or 
> software wise) to be *so* sensitive to DoS attacks? 
> _______________________________________________ 
> cisco-nsp mailing list cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp 
> archive at http://puck.nether.net/pipermail/cisco-nsp/