[c-nsp] high interrupt CPU due to traffic for IP not in arp-cache

Peter Rathlev peter at rathlev.dk
Mon Jul 14 12:32:43 EDT 2008


On Mon, 2008-07-14 at 18:07 +0200, Iddo wrote:
> We are running a 6500/sup720-3BXL wit 12.2.18SXF13
> A DoS attack 300,000pps was sent to an IP address which directly
> connected, but not in use by a machine.
> The arp entry for the target IP address is "incomplete".
> 
> This caused interrupt based CPU to 90+ %, which in turn caused
> OSPF/BGP etc to timeout.
> 
> I can reproduce the results with a packetgenerator.
> 
> Can anyone recommend a solution for this?

The problem would be because the 6500 tries to determine the L2 address
of the destination host via ARP.

There are a couple of solutions. As a simple solution, you can rate
limit packets punted to the RP for ARP resolution. This will generally
rate limit ARP, and should be used carefully since you could be DoS'ed
in another way: Starving your ability to ARP. The command is "mls
rate-limit unicast cef glean <PPS>".

Since the host doesn't exists, you could also blackhole just this host,
e.g. "ip route 10.1.2.3 255.255.255.255 Null0" for the host 10.1.2.3.
For the 6500 this would just throw traffic to that host away, and not
disturb your RP.

Of course there could be a point in blocking this closer to the source,
but that might not be easy.

Regards,
Peter




More information about the cisco-nsp mailing list