[c-nsp] Rate-limiting ARPs

Gert Doering gert at greenie.muc.de
Wed Sep 13 07:30:10 EDT 2006


Hi,

On Wed, Sep 13, 2006 at 11:57:21AM +0100, Ed Butler wrote:
> The problem manifested itself last night when a server on a /24 subnet
> was subject to a DDOS of 300kpps. The server crashed, for whatever
> reason, and once the ARP entry had timed out all of the servers on that
> /24 were bombarded with traffic until we filtered the DDOS at the border
> routers.

Unlikely.

Much more likely: the CAM entry in the *switch* timed out, and as there
was still an ARP entry in the *router*, the switch flooded the DDoS 
to the whole L2 network segment.

(The ARP timeout in the routers is normally set to 4h, while the 
CAM timeout in Cisco switches is far shorter, in the range of "a few
minutes").

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de


More information about the cisco-nsp mailing list