[c-nsp] DDOS, router acted "oddly".
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Thu Aug 30 10:37:21 EDT 2007
Drew,
a possible cause could be buffer shortage on the linecard. Unless you
limit the queue length on the GSR interfaces, the linecard could
allocate all available buffers (and there are plenty) when one of the
links becomes congested, which could have happened if one of the GE
links needed to push more than a gig worth of traffic. If this happens,
traffic across other, non-congested ports on the LC could be affected.
A simple policy-map with "random-detect" in the class class-default will
help here.
oli
Drew Weaver <> wrote on Thursday, August 30, 2007 3:52 PM:
> I believe I know why I had the issue I had last evening when
> a 500Mbps DDOS hit our network. I believe it is due to queuing
> issues, but I am not sure, I wanted to ask you folks what you
> thought.
>
> The topology of the 'attack ' is as such:
>
> Attacker - Internet - 3Gbps aggregate(4 connections) - 2x Cisco GSR
> 12000 - 4x Gig-E - Catalyst 6509 - 100Mbps -- target host
>
> So last evening we were hit with a 500Mbps DDOS attack, this
> shouldn't have been a big deal as we have over 3Gbps in aggregate
> bandwidth and this 500Mbps pushed our total utilization up to around
> 1300Mbps. However, we noticed that the DDOS was degrading
> connectivity for all hosts on the network.
>
> * The (multiple) gig-e connections between the GSRs and the Catalyst
> 6509 were nowhere near their maximum capacity
> * I see no errors in the log files of either of the two GSRs which
> were involved
> * The 100Mbps port which the target host was connected to was
> obviously pegged.
> * There were no errors logged on that particular catalyst (although I
> believe the problem is obviously with the GSRs)
>
> I don't really see any "good?" reason why all of the traffic flowing
> through both of the GSR 12ks would have been reduced to a crawl
> unless there was some kind of queue backlash between the Catalyst and
> the GSR 12ks.
>
> Does anyone have any advice or insight?
>
> Thanks,
> -Drew
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list