[c-nsp] Rate-limiting ARPs
Gert Doering
gert at greenie.muc.de
Wed Sep 13 07:30:10 EDT 2006
Hi,
On Wed, Sep 13, 2006 at 11:57:21AM +0100, Ed Butler wrote:
> The problem manifested itself last night when a server on a /24 subnet
> was subject to a DDOS of 300kpps. The server crashed, for whatever
> reason, and once the ARP entry had timed out all of the servers on that
> /24 were bombarded with traffic until we filtered the DDOS at the border
> routers.
Unlikely.
Much more likely: the CAM entry in the *switch* timed out, and as there
was still an ARP entry in the *router*, the switch flooded the DDoS
to the whole L2 network segment.
(The ARP timeout in the routers is normally set to 4h, while the
CAM timeout in Cisco switches is far shorter, in the range of "a few
minutes").
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list