[c-nsp] 6500 under DDoS

Fredrik.Jacobsson at enskilda.se Fredrik.Jacobsson at enskilda.se
Wed Jul 28 07:05:55 EDT 2004


Hi!

I was about to try NBAR in our lab, but now I'm hesitating since I
cant see how we could take it into production with this knowledge :)
Would it be possible to create a span to a port where you connect a
router that has NBAR enabled? Or wont that give you any intresting info?

How about Netflow? Does that have the same drawbacks?

Best regards
/Fredrik Jacobsson

 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matti Saarinen
Sent: Wednesday, July 28, 2004 7:31 AM
To: sthaug at nethelp.no
Cc: cisco-nsp at puck.nether.net; blaz at inlimbo.org
Subject: Re: [c-nsp] 6500 under DDoS

sthaug at nethelp.no writes:

>> I also found out that the customer has turned on 
>> "ip nbar protocol-discovery".
>
> I believe that'll result in packets punted to the MSFC, and then you
> can easily kill the box.

 NBAR will easily kill the box. I've tried NBAR on 6500. During the
 first minimal DDoS the switch died. NBAR is done on MSFC's CPU which,
 as you wrote, should receive as few packets as possible..

 Cheers,

-- 
- Matti -
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


**********************************************************************************************************************
Confidentiality Notice

The content of this e-mail, including attachments, is intended for the confidential use of the individual(s) or entity(-ies) to whom it is addressed only and may contain personal and/or confidential information. Please notify the sender immediately by returning this e-mail if you are not the intended recipient. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that reading, duplicating, or in any way disseminating its content to any other person, is strictly prohibited.

If the content of this e-mail, including attachments, includes an offer to provide any service or product, an offer or a solicitation of an offer to buy or sell any securities or any other investment product, please refer to the disclaimer on www.enskilda.se, which applies also to the content of this e-mail. Any such transaction will also be subject to any other Terms of Business currently in place between us.

If you are a client of Enskilda Securities with access to Enskilda Research Online and this e-mail contains a research report or the content of this e-mail, including attachments, may be regarded as an advice in relation to companies or securities, please refer to the general and company specific disclaimers, respectively, on Enskilda Research Online.
**********************************************************************************************************************






More information about the cisco-nsp mailing list