[c-nsp] Unknown unicast only occuring when a host is under attack...

[Paul Wozney]

>
> Basically what is happening is a host in a VLAN is getting flooded with
> http requests and when this happens the http requests are being unicast to
> all ports in this VLAN.
>
> This only happens when the host is being flooded when I block the attack,
> normal traffic isn't being unicast flooded.
>
> I would think that if this was normal unknown unicast it would always
> happen after the cam expires the mac entry...?


An issue similar to this got me a job a couple years ago, but it sounds like
you might have something else here.

A server hosting administrator with many public IPs in a single VLAN
(several thousand) was getting DDoS'd to one or two IPs a week like you were
here.  His usual method of operations for misbehaving servers was to
physically disconnect the problem device but in this case, with a sustained
DDoS it made things very bad.  When CAM timed out because the server had
gone offline, none of the switches knew were the traffic should go and
started flooding it out all ports, and that's where I got my phone call!

I made some immediate short-term recommendations and eventually got the
network (and their administrative procedures) stable enough to handle large
attacks like this.

---
Paul Wozney
Network Consultant
phone: +1 604-629-9975
toll free: +1 866-748-0516
email: paul at wozney.ca
web: http://wozney.ca