[c-nsp] Unknown unicast only occuring when a host is under attack...
Jeroen van Ingen
jeroen at zijndomein.nl
Sat Mar 26 09:08:01 EDT 2011
> > Assuming the DoS attack is routed traffic (since it's in netflow) it
> > won't cause overflows in L2 forwarding table CAM.
>
> Unless there's a layer2 device downstream from the router.
>
Not even then. Layer 2 source/dest addresses are rewritten on every
router hop. All traffic going through a router will have that router's
MAC address as L2 source. So even if you have 400,000 packets coming
through a router, each packet may have a different source IP but all
will have the same source MAC.
No matter how many Layer 2 devices are downstream: they won't alter the
packets, won't look at the Layer 3 source/dest and will only look at the
L2 source/dest (which are, in this case, router MAC as source and "host
under attack MAC" as destination).
Have a look with a packet sniffer (eg Wireshark) if you don't believe me :)
Regards,
Jeroen van Ingen
More information about the cisco-nsp
mailing list