[c-nsp] All multicast punting to CPU on 6500

Robert Williams Robert at CustodianDC.com
Sun Dec 16 11:49:51 EST 2012


Hi,

I'm sensing a lot of frustration / anger / hatred for NLB, having never really used it myself I'll just back away from that quietly :)

Unfortunately the test is valid because the situation actually arose when a Windows NLB cluster went offline and there was a load of DDoS traffic heading to it. The whole reason I'm even working on this is because it 'did' happen, unfortunately...

However, aside from <cough> NLB, what stops a compromised device from being used to emit such traffic maliciously?

In the colocation world we have seen examples where the attacker just rents a couple of VPS instances with the same provider as their target and uses it to take down the target from the 'inside' by messing with the providers' infrastructure.

The (two lines in linux) example I was testing with would be a nice way to do this, at least until the provider tracks it down and pulls it. Which in itself could be tricky if the CPU is maxed out and/or your traffic graphing shows only 'unicast' traffic PPS, thus is blind to multicast.

I assumed that there was just a configuration I was missing but it's now sounding like it's just a limitation, which is a real shame. Although it's partially possible with 15M it seems.

Oh well, time to move on, so thanks again for all the input everyone :) Cheers!




Robert Williams
Custodian Data Centre
Email: Robert at CustodianDC.com
http://www.CustodianDC.com


Robert Williams
Backline / Operations Team
Custodian DataCentre
tel: +44 (0)1622 230382
email: Robert at CustodianDC.com
http://www.custodiandc.com/disclaimer.txt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: 16 December 2012 16:23
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] All multicast punting to CPU on 6500

This covers the issue well.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml

Highly recommended to stay away from MS NLB.  It's been designed poorly for over 7 years (that I know of personally).

I think your test is invalid.  You should come up with a real use case(s).  In the world of networking, most of us can come up with tests that would crush and boggle any box.

tv




More information about the cisco-nsp mailing list