[c-nsp] Modern BGP peering border router and DDoS attackdefenserecommendations?

Rodney Dunn rodunn at cisco.com
Tue Jun 14 15:48:39 EDT 2005


My opinion is it all depends on what you expect out of the solution.

Let's say you have this box with a single uplink to an ISP.
You still have a single point of failure. A dual box/single
CPU in each with dual uplinks is going to be more redundant.

Your cutover time may not be quite as fast depending on how the
notification/routing is done. You can get it pretty fast though.

However, if the failure is a processor crash (say IOS software bug)
and it triggers a switchover to the backup and you have SSO/NSF running
with your peers then the transit traffic interruption should be
very very low.

It's more costly but a dual box dual uplink with redundant processors
running in full SSO/NSF mode is about as HA as you can get today.

Maybe adding some Y-cable type support for physical connection redundancy
would add to it even more.

This isn't even scratching the surface on what it means to have a path
failure and detect it.

Rodney


On Tue, Jun 14, 2005 at 12:24:01PM -0700, Sam Crooks wrote:
> I'm interested in hearing people's opinions of the following
> configuration as a border router, specifically as related to the
> redundant NSE-100....how important is it to have the redundant engine
> and run it in NSF/SSO with the active one?:
> 
> Product	Description	Quantity (per chassis)	Total required
> CISCO7304	4-slot chassis, NSE100, 1 Power Supply, 512MB Memory	1	4
> 7300-PWR-AC	Cisco 7304 AC Power Supply	1	4
> 7300-PWR/2-AC	Cisco 7304 Redundant AC Power Supply Option	1	4
> CAB-AC15A-90L-US	15A AC Pwr Cord, left-angle (United States) (bundle option)	2	8
> 7300-NSE-100	Cisco 7304 NSE-100 w/512MB SDRAM, (2)GE	1	4
> 7300-I/O-CFM-128M	Cisco 7304 Compact Flash Memory, 128 MB	2	8
> WS-G5484	1000BASE-SX  Short Wavelength  GBIC (Multimode only)	4	16
> 7300-NSE-100/2	Redundant Cisco 7304 NSE-100	1	4
> S730CHK91-12225S	Cisco 7300 Series IOS IP/FW/IDS SECURED SHELL 3DES	1	4
> 7304-MSC-100	Cisco 7304 SPA Modular Services Carrier Card	1	4
> SPA-2GE-7304	2-port Half-Height Gigabit Ethernet Shared Port Adapter	1	4
> SFP-FCGE-S	1000BASE-SX Gigabit Ethernet SFP	2	8
> 7300-MEM-512	512MB SDRAM for 7304 NSE-100 	1	4
> 7300-MEM-512	512MB SDRAM for 7304 NSE-100 	1	4
> CON-OSP-7304	24x7x4 Onsite Svc, 4-slot chassis: NSE100: 1 Power Supply: 	1	4
> 
> 
> (there were various gasps when I presented this price and
> configuration, as being a reasonable consensus of the minimum
> acceptable router to BGP peer and have any chance of surviving a DDoS
> attack.... and further that, Availability=MTBF/(MTBF+MTTR) per unit,
> and the serial effect of Availability on a system is the product
> series of the individual A's.... any less than 99.999% A at each point
> in a serial path through the network, means the system as a whole
> becomes less than 99.999% available, etc....the same business person
> that gasped, previous defined the target goal by commenting that Six
> Sigma (99.99966% == 1.8 min downtime /yr) is a "joke")
> 
> 
> On 6/14/05, james edwards <hackerwacker at cybermesa.com> wrote:
> > >
> > > Can you elaborate?
> > >
> > > ie: What hardware did they use?
> > >     How did they try to mitigate the attack?
> > 
> > 
> > 75xx. The route-map used to drop 92 byte ICMP (for Nachi) also dropped 92
> > byte TCP, at least on the 75xx.
> > Through providers TAC case Cisco insisted we were seeing application
> > problems. It was left to me to debug
> > this issue for the provider (and Cisco). This lasted a month & we lost many
> > customers. Does anyone actually test
> > these recommended mitigations ?  This was a huge loss of customers and a
> > large amount OT to solve our providers
> > problem (and Cisco's). Sweeps of TCP packets around the 92 byte size clearly
> > demonstrated the problem.
> > 
> > ACL's used to mitigate problems caused my traffic to drop to zero at approx
> > 1 min. intervals, on a DS3 that at the slowest part of the day ran at 15
> > megs/sec. ACL were useless, do to this problem, so I quit asking this
> > provider for help. We then obtained transit DS3's from providers with
> > Junipers and have been very happy with their ability to match and discard at
> > any rate.
> > 
> > My network consists of 7206XVR's, NPE300's and 400's. I have controlled
> > small DDoS'es (20k-30k pps) with null routes
> > and uRPF, after removing all ACL's.  From my lab tests things start getting
> > bad at ~ 1 order higher.
> > 
> > Based on some posts on this list it seems the G1 is not much better in its
> > abilities to withstand DDoS/DoS.
> > 
> > Sorry this took so long, I have been out sick.
> > 
> > James H. Edwards
> > Routing and Security Administrator
> > At the Santa Fe Office: Internet at Cyber Mesa
> > jamesh at cybermesa.com  noc at cybermesa.com
> > http://www.cybermesa.com/ContactCM
> > (505) 795-7101
> > 
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >


More information about the cisco-nsp mailing list