[c-nsp] Modern BGP peering border router and DDoS
attackdefenserecommendations?
Rodney Dunn
rodunn at cisco.com
Tue Jun 14 15:48:39 EDT 2005
My opinion is it all depends on what you expect out of the solution.
Let's say you have this box with a single uplink to an ISP.
You still have a single point of failure. A dual box/single
CPU in each with dual uplinks is going to be more redundant.
Your cutover time may not be quite as fast depending on how the
notification/routing is done. You can get it pretty fast though.
However, if the failure is a processor crash (say IOS software bug)
and it triggers a switchover to the backup and you have SSO/NSF running
with your peers then the transit traffic interruption should be
very very low.
It's more costly but a dual box dual uplink with redundant processors
running in full SSO/NSF mode is about as HA as you can get today.
Maybe adding some Y-cable type support for physical connection redundancy
would add to it even more.
This isn't even scratching the surface on what it means to have a path
failure and detect it.
Rodney
On Tue, Jun 14, 2005 at 12:24:01PM -0700, Sam Crooks wrote:
> I'm interested in hearing people's opinions of the following
> configuration as a border router, specifically as related to the
> redundant NSE-100....how important is it to have the redundant engine
> and run it in NSF/SSO with the active one?:
>
> Product Description Quantity (per chassis) Total required
> CISCO7304 4-slot chassis, NSE100, 1 Power Supply, 512MB Memory 1 4
> 7300-PWR-AC Cisco 7304 AC Power Supply 1 4
> 7300-PWR/2-AC Cisco 7304 Redundant AC Power Supply Option 1 4
> CAB-AC15A-90L-US 15A AC Pwr Cord, left-angle (United States) (bundle option) 2 8
> 7300-NSE-100 Cisco 7304 NSE-100 w/512MB SDRAM, (2)GE 1 4
> 7300-I/O-CFM-128M Cisco 7304 Compact Flash Memory, 128 MB 2 8
> WS-G5484 1000BASE-SX Short Wavelength GBIC (Multimode only) 4 16
> 7300-NSE-100/2 Redundant Cisco 7304 NSE-100 1 4
> S730CHK91-12225S Cisco 7300 Series IOS IP/FW/IDS SECURED SHELL 3DES 1 4
> 7304-MSC-100 Cisco 7304 SPA Modular Services Carrier Card 1 4
> SPA-2GE-7304 2-port Half-Height Gigabit Ethernet Shared Port Adapter 1 4
> SFP-FCGE-S 1000BASE-SX Gigabit Ethernet SFP 2 8
> 7300-MEM-512 512MB SDRAM for 7304 NSE-100 1 4
> 7300-MEM-512 512MB SDRAM for 7304 NSE-100 1 4
> CON-OSP-7304 24x7x4 Onsite Svc, 4-slot chassis: NSE100: 1 Power Supply: 1 4
>
>
> (there were various gasps when I presented this price and
> configuration, as being a reasonable consensus of the minimum
> acceptable router to BGP peer and have any chance of surviving a DDoS
> attack.... and further that, Availability=MTBF/(MTBF+MTTR) per unit,
> and the serial effect of Availability on a system is the product
> series of the individual A's.... any less than 99.999% A at each point
> in a serial path through the network, means the system as a whole
> becomes less than 99.999% available, etc....the same business person
> that gasped, previous defined the target goal by commenting that Six
> Sigma (99.99966% == 1.8 min downtime /yr) is a "joke")
>
>
> On 6/14/05, james edwards <hackerwacker at cybermesa.com> wrote:
> > >
> > > Can you elaborate?
> > >
> > > ie: What hardware did they use?
> > > How did they try to mitigate the attack?
> >
> >
> > 75xx. The route-map used to drop 92 byte ICMP (for Nachi) also dropped 92
> > byte TCP, at least on the 75xx.
> > Through providers TAC case Cisco insisted we were seeing application
> > problems. It was left to me to debug
> > this issue for the provider (and Cisco). This lasted a month & we lost many
> > customers. Does anyone actually test
> > these recommended mitigations ? This was a huge loss of customers and a
> > large amount OT to solve our providers
> > problem (and Cisco's). Sweeps of TCP packets around the 92 byte size clearly
> > demonstrated the problem.
> >
> > ACL's used to mitigate problems caused my traffic to drop to zero at approx
> > 1 min. intervals, on a DS3 that at the slowest part of the day ran at 15
> > megs/sec. ACL were useless, do to this problem, so I quit asking this
> > provider for help. We then obtained transit DS3's from providers with
> > Junipers and have been very happy with their ability to match and discard at
> > any rate.
> >
> > My network consists of 7206XVR's, NPE300's and 400's. I have controlled
> > small DDoS'es (20k-30k pps) with null routes
> > and uRPF, after removing all ACL's. From my lab tests things start getting
> > bad at ~ 1 order higher.
> >
> > Based on some posts on this list it seems the G1 is not much better in its
> > abilities to withstand DDoS/DoS.
> >
> > Sorry this took so long, I have been out sick.
> >
> > James H. Edwards
> > Routing and Security Administrator
> > At the Santa Fe Office: Internet at Cyber Mesa
> > jamesh at cybermesa.com noc at cybermesa.com
> > http://www.cybermesa.com/ContactCM
> > (505) 795-7101
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
More information about the cisco-nsp
mailing list