[nsp] PPS Interface Counters
Ryan O'Connell
ryan at complicity.co.uk
Tue Jun 22 08:48:55 EDT 2004
Lawrence Wong wrote:
>How about packets which are blocked during DoS/DDoS
>attacks? Would this break the calculation as well?
>Since you could see 10,000 pps on one interface that
>doesn't go anywhere but is taken into account when
>adding things up.
>
>
Well, Null0 has counters on it so I guess if you're routing a [D]DoS to
Null0 it'll still be accounted for as long as you check there. I've
never seen the input/output rate counters on Null0 ever read anything
other than 0, but then I've always been too busy during a serious DDoS
to look. :-) If you're blocking with ACLs or some other method, I guess
this would break the calculation.
>Does the OID which you mention earlier take into
>account all packets that are forwarded (aka work done
>by router) or is it also limited to normal & unicast?
>
>
I don't know for certain, but I suspect it counts every packet that
enters the router exactly once regardless of the number of times it's
subsequently forwarded out of the router. (Zero, one or more)
--
Ryan O'Connell - CCIE #8174
I'm not losing my mind, no I'm not changing my lines,
I'm just learning new things with the passage of time
More information about the cisco-nsp
mailing list