[c-nsp] Re: 6500 under DDoS
Virgil
virgil at webcentral.com.au
Tue Jul 27 20:02:43 EDT 2004
> - weird features turned on (policy based routing, NBAR)
Here's an excerpt from an email about 12.2S on 7200s.
> The implementation of NBAR in 12.2s is badly broken with respect
> to fragmented packets. Its easy to bring an NPE-G1 to it's knees
> without really trying very hard. NBAR was reimplemented for
> 12.3T and our tests show that it doesn't have the same problems.
The same piece of code is present in 12.1E/12.2SX which means
that SUP1/SUP2/SUP720 are all effected as well. A little laptop
with a PCMCIA ethernet card can nuke a SUP720 with replayed
UDP frags.
> > Interface X
> > ip nbar protocol-discovery
> > Be careful about cpu usage.
The difference between nbar protocol-discovery off and on, on a 7301
running 12.2(18)S is 9 -> 11% CPU and 20 -> 100% CPU. Traffic was
300Mbits, +25Mbits UDP frags.
Wasn't until the UDP frags came along that it was really unhappy.
Regards,
Virgil
--
WebCentral Pty Ltd Australia's #1 Internet Web Hosting Company
Level 6, 100 Wickham St. Infrastructure Projects Manager
PO Box 930, Fortitude Valley. email: virgil at webcentral.com.au
Queensland, Australia 4006. phone: +61 7 3230 7332
More information about the cisco-nsp
mailing list