[c-nsp] Rate-limiting ARPs

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed Sep 13 07:25:19 EDT 2006


cisco-nsp-bounces at puck.nether.net <> wrote on Wednesday, September 13,
2006 1:16 PM:

> We cannot be sure about it, but I can't think of an alternative
> explanation. 
> 
> What we know is that traffic was directed at a specific IP
> address. When
> the server on this IP address crashed, traffic started to affect the
> whole subnet. It must have been broadcast traffic because each server
> was receiving 100mbit of traffic, and the sum of this was
> less than the total incoming DDOS traffic.

Hmm, and how was the CPU load on your 3750 during this attack? If the
3750 really generated 100Mbit of ARP requests (I doubt that the CPU
would be powerful enough to do so), it must have been *really* busy
(100%, I reckon)..

	oli



More information about the cisco-nsp mailing list