[c-nsp] Unknown unicast only occuring when a host is under attack...
Jeff Kell
jeff-kell at utc.edu
Sun Mar 27 22:11:12 EDT 2011
On 3/27/2011 9:53 PM, Paul Wozney wrote:
> A server hosting administrator with many public IPs in a single VLAN
> (several thousand) was getting DDoS'd to one or two IPs a week like you were
> here. His usual method of operations for misbehaving servers was to
> physically disconnect the problem device but in this case, with a sustained
> DDoS it made things very bad. When CAM timed out because the server had
> gone offline, none of the switches knew were the traffic should go and
> started flooding it out all ports, and that's where I got my phone call!
Another cause of unicast flooding (to a common dest MAC... was that the
original issue?) is a "sinkhole" host (primarily only receives traffic).
I typically see this with dedicated syslog servers -- they only
"receive" UDP syslog traffic and rarely generate any traffic of their
own, hence their MAC is never populated into the CAMs, especially with
default ARP timeouts (4 hours). CAM times out in 5 minutes, the other
3:55 you will get flooded unicast for the syslog host.
Jeff
More information about the cisco-nsp
mailing list