[c-nsp] Rate-limiting ARPs

[Ed Butler]

Mikael,

Thanks very much for the suggestion - I think you have cracked it. We'll
change the ARP timeout to 5 mins and see what happens.

Regards,

Ed Butler
RapidSwitch Ltd
DDI: 020 7106 0731

RapidSwitch Ltd, 5th Floor, Sovereign House, 227 Marsh Wall, London, E14
9SD

This email message is intended only for the addressee(s) and contains
information that may be confidential and/or copyright.  If you are not
the intended recipient please notify the sender by reply email and
immediately delete this email. Use, disclosure or reproduction of this
email by anyone other than the intended recipient(s) is strictly
prohibited. No representation is made that this email or any attachments
are free of viruses. Virus scanning is recommended and is the
responsibility of the recipient. 
-----Original Message-----
From: Mikael Abrahamsson [mailto:swmike at swm.pp.se] 
Sent: 13 September 2006 12:27
To: Ed Butler
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Rate-limiting ARPs

On Wed, 13 Sep 2006, Ed Butler wrote:

> The problem manifested itself last night when a server on a /24 subnet

> was subject to a DDOS of 300kpps. The server crashed, for whatever 
> reason, and once the ARP entry had timed out all of the servers on 
> that
> /24 were bombarded with traffic until we filtered the DDOS at the 
> border routers.

This more likely sounds like you have a mismatch (default behaviour)
between ARP and mac-address-table timeout.

Cisco default is to ARP timeout after 4 hours, mac-address-table after 5
minutes. So when the mac-address-table timeouts traffic will be flooded
to all ports. That's probably what you were seeing.

Set arp timeout to 5 minutes or turn up the mac-address-table timeout to
match the arp timeout, this should solve this scenario that's likely to
have hit you.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se