[c-nsp] ddos attack makes c6509 cpu soared.
Peter Rathlev
peter at rathlev.dk
Tue Apr 1 04:10:24 EDT 2008
On Tue, 2008-04-01 at 06:13 +0000, MontyRee wrote:
> I have operated sup720 based c6509(DFC3 included) with time-based
> sampling netflow enabled.
>
> Some days ago, there was a ddos attack against the server over 1Mpps,
> then the cpu of the c6509 soared from 5 to 95.
>
> As I know, sup720 based c6509 can do services upto 30Mpps, but I can't
> understand why the cpu is high?
The 30 mpps is the raw forwarding rate. If you start doing things like
NDE you will get lower performance.
> Is there any relations with netflow enabled config? cisco website says
> that the flow number of netflow supports to 128,000. Then, should I
> disable netflow when ddos attacked?
The Sup720 does Netflow characterization in hardware, but the export is
handled by the processor, so if you use NDE you could be hit bad by
DDoS. The flow mask you use also has a lot to say about how many flows
are generated.
Doing sampled Netflow should reduce the problem a little, even though
you might end up generating almost the same number of flows and thus the
same amount of exports.
Disable netflow during DDoS attack? Well, netflow can help you find the
cause, and 95% CPU is not necessarily a problem, but dead routers are of
no use of course. :-)
Regards,
Peter
More information about the cisco-nsp
mailing list