[c-nsp] Modern BGP peering border router and DDoS attackdefenserecommendations?

Sam Crooks sam.a.crooks at gmail.com
Tue Jun 14 16:01:33 EDT 2005 

I was thinking, of 2 routers, each with a ethernet uplink to a peer in the ISP.

I'd like 2 uplinks per ISP per router, 2 routers... and each link from
a different MSC and different SPA within the chassis... but that gets
spendy.


Sam

On 6/14/05, Rodney Dunn <rodunn at cisco.com> wrote:
> My opinion is it all depends on what you expect out of the solution.
> 
> Let's say you have this box with a single uplink to an ISP.
> You still have a single point of failure. A dual box/single
> CPU in each with dual uplinks is going to be more redundant.
> 
> Your cutover time may not be quite as fast depending on how the
> notification/routing is done. You can get it pretty fast though.
> 
> However, if the failure is a processor crash (say IOS software bug)
> and it triggers a switchover to the backup and you have SSO/NSF running
> with your peers then the transit traffic interruption should be
> very very low.
> 
> It's more costly but a dual box dual uplink with redundant processors
> running in full SSO/NSF mode is about as HA as you can get today.
> 
> Maybe adding some Y-cable type support for physical connection redundancy
> would add to it even more.
> 
> This isn't even scratching the surface on what it means to have a path
> failure and detect it.
> 
> Rodney
> 
> 
> On Tue, Jun 14, 2005 at 12:24:01PM -0700, Sam Crooks wrote:
> > I'm interested in hearing people's opinions of the following
> > configuration as a border router, specifically as related to the
> > redundant NSE-100....how important is it to have the redundant engine
> > and run it in NSF/SSO with the active one?:
> >
> > Product       Description     Quantity (per chassis)  Total required
> > CISCO7304     4-slot chassis, NSE100, 1 Power Supply, 512MB Memory    1       4
> > 7300-PWR-AC   Cisco 7304 AC Power Supply      1       4
> > 7300-PWR/2-AC Cisco 7304 Redundant AC Power Supply Option     1       4
> > CAB-AC15A-90L-US      15A AC Pwr Cord, left-angle (United States) (bundle option)     2       8
> > 7300-NSE-100  Cisco 7304 NSE-100 w/512MB SDRAM, (2)GE 1       4
> > 7300-I/O-CFM-128M     Cisco 7304 Compact Flash Memory, 128 MB 2       8
> > WS-G5484      1000BASE-SX  Short Wavelength  GBIC (Multimode only)    4       16
> > 7300-NSE-100/2        Redundant Cisco 7304 NSE-100    1       4
> > S730CHK91-12225S      Cisco 7300 Series IOS IP/FW/IDS SECURED SHELL 3DES      1       4
> > 7304-MSC-100  Cisco 7304 SPA Modular Services Carrier Card    1       4
> > SPA-2GE-7304  2-port Half-Height Gigabit Ethernet Shared Port Adapter 1       4
> > SFP-FCGE-S    1000BASE-SX Gigabit Ethernet SFP        2       8
> > 7300-MEM-512  512MB SDRAM for 7304 NSE-100    1       4
> > 7300-MEM-512  512MB SDRAM for 7304 NSE-100    1       4
> > CON-OSP-7304  24x7x4 Onsite Svc, 4-slot chassis: NSE100: 1 Power Supply:      1       4
> >
> >
> > (there were various gasps when I presented this price and
> > configuration, as being a reasonable consensus of the minimum
> > acceptable router to BGP peer and have any chance of surviving a DDoS
> > attack.... and further that, Availability=MTBF/(MTBF+MTTR) per unit,
> > and the serial effect of Availability on a system is the product
> > series of the individual A's.... any less than 99.999% A at each point
> > in a serial path through the network, means the system as a whole
> > becomes less than 99.999% available, etc....the same business person
> > that gasped, previous defined the target goal by commenting that Six
> > Sigma (99.99966% == 1.8 min downtime /yr) is a "joke")
> >
> >
> > On 6/14/05, james edwards <hackerwacker at cybermesa.com> wrote:
> > > >
> > > > Can you elaborate?
> > > >
> > > > ie: What hardware did they use?
> > > >     How did they try to mitigate the attack?
> > >
> > >
> > > 75xx. The route-map used to drop 92 byte ICMP (for Nachi) also dropped 92
> > > byte TCP, at least on the 75xx.
> > > Through providers TAC case Cisco insisted we were seeing application
> > > problems. It was left to me to debug
> > > this issue for the provider (and Cisco). This lasted a month & we lost many
> > > customers. Does anyone actually test
> > > these recommended mitigations ?  This was a huge loss of customers and a
> > > large amount OT to solve our providers
> > > problem (and Cisco's). Sweeps of TCP packets around the 92 byte size clearly
> > > demonstrated the problem.
> > >
> > > ACL's used to mitigate problems caused my traffic to drop to zero at approx
> > > 1 min. intervals, on a DS3 that at the slowest part of the day ran at 15
> > > megs/sec. ACL were useless, do to this problem, so I quit asking this
> > > provider for help. We then obtained transit DS3's from providers with
> > > Junipers and have been very happy with their ability to match and discard at
> > > any rate.
> > >
> > > My network consists of 7206XVR's, NPE300's and 400's. I have controlled
> > > small DDoS'es (20k-30k pps) with null routes
> > > and uRPF, after removing all ACL's.  From my lab tests things start getting
> > > bad at ~ 1 order higher.
> > >
> > > Based on some posts on this list it seems the G1 is not much better in its
> > > abilities to withstand DDoS/DoS.
> > >
> > > Sorry this took so long, I have been out sick.
> > >
> > > James H. Edwards
> > > Routing and Security Administrator
> > > At the Santa Fe Office: Internet at Cyber Mesa
> > > jamesh at cybermesa.com  noc at cybermesa.com
> > > http://www.cybermesa.com/ContactCM
> > > (505) 795-7101
> > >
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
>

More information about the cisco-nsp mailing list