[c-nsp] (no subject)

Kim Onnel karim.adel at gmail.com
Fri Jul 8 12:25:42 EDT 2005 

In my humble knowledge, Alot of pps will cause severe performance problems, 
because the packets hit the interface and they fill the buffers, in my 
network, the internet gateway is a 7600 with enough resources to handle it, 
but not our PEs, BGP and IGP and TDP breaks. (i'm thinking CoPP and spd 
aggressive, but again without trying these things, we dont have CoPP in our 
IOS and spd will only be useful if the box got attacked, which isnt the 
case)

I thought i can mitigate this by reading netflow exported from the gateway 
to an open-source machine and getting reports for the NOC to be able to 
route to null0. but actually most of our DoS attacks we get only last for 15 
minutes, and almost all the time before the NOC takes any action, the attack 
ends and sometimes the netflow analyser doesnt even report a thing, we only 
see spikes in our MRTG pps graphs.

When we had a 7204 with NPE300 gateway, it would fail on any DoS, but now 
with the 7600, just the PE being attacked and the customers terminated on it 
will fail, however, we are not satisfied with that, so that got me thinking, 
how can i rate limit pps on the gateway which is powerful enough to limit 
the attack, we cant buy expensive solutions (Arbor/Cisco anomaly guard..)

What does cisco has to say about this, can there be limit to the pps numbers 
in any way, QoS or routing/mpls features?


On 7/8/05, Jared Mauch <jared at puck.nether.net> wrote:
> 
> On Fri, Jul 08, 2005 at 10:07:18AM +0200, Security wrote:
> > Hello all
> >
> > I have a few STM-1 lines connected to upstream providers and I will like 
> to
> > configure on the interfaces permanent rate-limit commands in order to 
> rate
> > limit the number of packets in case of a DoS attack. We are constantly
> > measuring the number of packets using Cricket which under normal network
> > behavior is about 40K packets per second. (maximum). Under a DoS attack 
> the
> > number of packets passing through increases to about 60k or even 70K and 
> we
> > are experiencing performance problems.
> >
> > Any suggestion of how to apply constant rate-limit on number of packets 
> per
> > interface will be appreciated.
> 
> There is no way on cisco to rate-limit based on pps last
> i knew. I spoke with people at NANOG last time it was in Phoenix
> that worked for cisco and suggested something like this but it
> didn't go anywhere..
> 
> You can do things like rate-limit syns and other types
> of 'attack' traffic by using an acl. historically I did
> things like rate-limit ICMP on a STM-1 link to 2Mb/s. You may
> find similar thresholds helpful.
> 
> - jared
> 
> --
> Jared Mauch | pgp key available via finger from jared at puck.nether.net
> clue++; | http://puck.nether.net/~jared/ My statements are only mine.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list