[c-nsp] ddos attack makes c6509 cpu soared.

Tim Stevenson tstevens at cisco.com
Tue Apr 1 10:31:22 EDT 2008 

At 10:10 AM 4/1/2008 +0200, Peter Rathlev observed:
>On Tue, 2008-04-01 at 06:13 +0000, MontyRee wrote:
> > I have operated sup720 based c6509(DFC3 included) with time-based
> >  sampling netflow enabled.
> >
> > Some days ago, there was a ddos attack against the server over 1Mpps,
> > then the cpu of the c6509 soared from 5 to 95.
> >
> > As I know, sup720 based c6509 can do services upto 30Mpps, but I can't
> >  understand why the cpu is high?
>
>The 30 mpps is the raw forwarding rate. If you start doing things like
>NDE you will get lower performance.

It's 30Mpps (assuming central fwding in compact mode) regardless of 
packet size & regardless of NF, qos, ACL, etc enabled w/in the 
constraints of what's supported in hw. NF collection is supported in hw.

Enabling NDE doesn't change that, but the aging/export process will 
drive up the CPU (again, not impacting performance unless the control 
plane ends up overburdened and protocols start reconverging etc), 
especially with a consistently full table. But the hw continues to 
fwd at 30Mpps.


> > Is there any relations with netflow enabled config? cisco website says
> >  that the flow number of netflow supports to 128,000. Then, should I
> >  disable netflow when ddos attacked?
>
>The Sup720 does Netflow characterization in hardware, but the export is
>handled by the processor, so if you use NDE you could be hit bad by
>DDoS. The flow mask you use also has a lot to say about how many flows
>are generated.
>
>Doing sampled Netflow should reduce the problem a little, even though
>you might end up generating almost the same number of flows and thus the
>same amount of exports.

Sampled probably won't help, in fact it could hurt. Sampled on 
7600/6500 purges the NF table in large batches on a (short) regular 
basis & can drive up the CPU. Using full NF & increasing the aging 
timers will prob be more effective in reducing CPU during a time of 
heavy NF table utilization.

On the other hand, not sure we've established yet that NDE is 
actually to blame for the high CPU in this case, based on the 
information so far...

Tim

>Disable netflow during DDoS attack? Well, netflow can help you find the
>cause, and 95% CPU is not necessarily a problem, but dead routers are of
>no use of course. :-)
>
>Regards,
>Peter
>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/



Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Data Center BU
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.

More information about the cisco-nsp mailing list