[c-nsp] Modern BGP peering border router and DDoS
attackdefenserecommendations?
Sam Crooks
sam.a.crooks at gmail.com
Tue Jun 14 15:24:01 EDT 2005
I'm interested in hearing people's opinions of the following
configuration as a border router, specifically as related to the
redundant NSE-100....how important is it to have the redundant engine
and run it in NSF/SSO with the active one?:
Product Description Quantity (per chassis) Total required
CISCO7304 4-slot chassis, NSE100, 1 Power Supply, 512MB Memory 1 4
7300-PWR-AC Cisco 7304 AC Power Supply 1 4
7300-PWR/2-AC Cisco 7304 Redundant AC Power Supply Option 1 4
CAB-AC15A-90L-US 15A AC Pwr Cord, left-angle (United States) (bundle option) 2 8
7300-NSE-100 Cisco 7304 NSE-100 w/512MB SDRAM, (2)GE 1 4
7300-I/O-CFM-128M Cisco 7304 Compact Flash Memory, 128 MB 2 8
WS-G5484 1000BASE-SX Short Wavelength GBIC (Multimode only) 4 16
7300-NSE-100/2 Redundant Cisco 7304 NSE-100 1 4
S730CHK91-12225S Cisco 7300 Series IOS IP/FW/IDS SECURED SHELL 3DES 1 4
7304-MSC-100 Cisco 7304 SPA Modular Services Carrier Card 1 4
SPA-2GE-7304 2-port Half-Height Gigabit Ethernet Shared Port Adapter 1 4
SFP-FCGE-S 1000BASE-SX Gigabit Ethernet SFP 2 8
7300-MEM-512 512MB SDRAM for 7304 NSE-100 1 4
7300-MEM-512 512MB SDRAM for 7304 NSE-100 1 4
CON-OSP-7304 24x7x4 Onsite Svc, 4-slot chassis: NSE100: 1 Power Supply: 1 4
(there were various gasps when I presented this price and
configuration, as being a reasonable consensus of the minimum
acceptable router to BGP peer and have any chance of surviving a DDoS
attack.... and further that, Availability=MTBF/(MTBF+MTTR) per unit,
and the serial effect of Availability on a system is the product
series of the individual A's.... any less than 99.999% A at each point
in a serial path through the network, means the system as a whole
becomes less than 99.999% available, etc....the same business person
that gasped, previous defined the target goal by commenting that Six
Sigma (99.99966% == 1.8 min downtime /yr) is a "joke")
On 6/14/05, james edwards <hackerwacker at cybermesa.com> wrote:
> >
> > Can you elaborate?
> >
> > ie: What hardware did they use?
> > How did they try to mitigate the attack?
>
>
> 75xx. The route-map used to drop 92 byte ICMP (for Nachi) also dropped 92
> byte TCP, at least on the 75xx.
> Through providers TAC case Cisco insisted we were seeing application
> problems. It was left to me to debug
> this issue for the provider (and Cisco). This lasted a month & we lost many
> customers. Does anyone actually test
> these recommended mitigations ? This was a huge loss of customers and a
> large amount OT to solve our providers
> problem (and Cisco's). Sweeps of TCP packets around the 92 byte size clearly
> demonstrated the problem.
>
> ACL's used to mitigate problems caused my traffic to drop to zero at approx
> 1 min. intervals, on a DS3 that at the slowest part of the day ran at 15
> megs/sec. ACL were useless, do to this problem, so I quit asking this
> provider for help. We then obtained transit DS3's from providers with
> Junipers and have been very happy with their ability to match and discard at
> any rate.
>
> My network consists of 7206XVR's, NPE300's and 400's. I have controlled
> small DDoS'es (20k-30k pps) with null routes
> and uRPF, after removing all ACL's. From my lab tests things start getting
> bad at ~ 1 order higher.
>
> Based on some posts on this list it seems the G1 is not much better in its
> abilities to withstand DDoS/DoS.
>
> Sorry this took so long, I have been out sick.
>
> James H. Edwards
> Routing and Security Administrator
> At the Santa Fe Office: Internet at Cyber Mesa
> jamesh at cybermesa.com noc at cybermesa.com
> http://www.cybermesa.com/ContactCM
> (505) 795-7101
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list