[c-nsp] front-end box to protect wimpy Cisco router from DoS?

Hay Kan Sugeng haykan at qalacom.com
Sat May 12 00:04:39 EDT 2007


in my opinion, if you had a bgp peer than you better request for a bgp 
blackhole to your upstream.


Ed Ravin wrote:
> On Fri, May 11, 2007 at 05:04:25PM +1000, Brad Henshaw wrote:
>   
>> Ed Ravin:
>>     
>>> I have an elderly 7200 NPE-225 box on my network that has no 
>>> problem handling normal traffic, but every now and then 
>>> someone sends a DoS attack in its general direction and the 
>>> poor thing is unable to do anything useful
>>>       
>> What type of interface(s) connect the 7200 upstream and what traffic
>> rates & packet types are killing the box?
>>     
>
> Fast Ethernet and/or Gigabit Ethernet interfaces, hence my thinking that
> a PC would be appropriate.  Not sure if I want to use the two Mac Minis
> like in that recent post to this list, but that's the idea.
>
> I don't recall the exact numbers, but I remember that even a mere 20-30 Mb
> of traffic in short packets would send the 7200 begging for mercy.  I don't
> need to screen out all potential attacks, but I do need the ability to
> screen out any particular attack as soon as we detect it so we can get
> our traffic rolling again.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>   



More information about the cisco-nsp mailing list