[c-nsp] All multicast punting to CPU on 6500

Tony Varriale tvarriale at comcast.net
Sun Dec 16 15:43:37 EST 2012 

On 12/16/2012 10:49 AM, Robert Williams wrote:
> Hi,
>
> I'm sensing a lot of frustration / anger / hatred for NLB, having never really used it myself I'll just back away from that quietly :)
>
> Unfortunately the test is valid because the situation actually arose when a Windows NLB cluster went offline and there was a load of DDoS traffic heading to it. The whole reason I'm even working on this is because it 'did' happen, unfortunately...
It's not valid if you are randomly selecting many multicast addresses.

If you read the link I posted, it explains the issue and the work 
around.  If you do not have the work around as part of your use case and 
test, your test is invalid if you expect a reasonable outcome. Again, we 
can all come up with corner cases that crush boxes.

Not that I need to tell you this, but making corporate standards that do 
not follow general networking common sense are not standards.  MS is 
notorious of making up their own networking solutions without consulting 
or referencing the rest of the world.

With that said, there are many many cost effective load balancing 
solutions in the market place.

> However, aside from <cough> NLB, what stops a compromised device from being used to emit such traffic maliciously?
Power button.  Or host security.
>
> In the colocation world we have seen examples where the attacker just rents a couple of VPS instances with the same provider as their target and uses it to take down the target from the 'inside' by messing with the providers' infrastructure.
External and internal DDoS protection are, although they may use the 
same tactics, are 2 separate beasts.
>
> The (two lines in linux) example I was testing with would be a nice way to do this, at least until the provider tracks it down and pulls it. Which in itself could be tricky if the CPU is maxed out and/or your traffic graphing shows only 'unicast' traffic PPS, thus is blind to multicast.
>
> I assumed that there was just a configuration I was missing but it's now sounding like it's just a limitation, which is a real shame. Although it's partially possible with 15M it seems.
>
> Oh well, time to move on, so thanks again for all the input everyone :) Cheers!
>
>
>
>
> Robert Williams
> Custodian Data Centre
> Email: Robert at CustodianDC.com
> http://www.CustodianDC.com
>
>

More information about the cisco-nsp mailing list