[c-nsp] BGP session going down during DDOS
Aaron
aaron1 at gvtc.com
Thu Mar 6 23:14:36 EST 2014
I have seen bgp between my pe's and rr's also go down during ddos. This was
mainly seen on 1 gig links when the ddos was in excess of 1 gbps.... I
believe I saw the following drop... eigrp/ospf/bgp/l2vpn pw's (carrying my
cell backhaul)..... ddos was bad for a month or so last year. I've since
implemented a bunch of policers for various types of traffic at my dual
internet boundaries and have been very pleased at the results. Ddos doesn't
get through much anymore.
Aaron
-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
redscorpion69
Sent: Thursday, March 06, 2014 12:07 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] BGP session going down during DDOS
Today we had a couple of dozen Gbps traffic to one of our customer.
At one point during attack, our PE router where the customer is attached had
a BGP session to one of our RR go down, only to go up after half a minute.
Our core has juniper/asr9k, our PE router in question is 7600.
All our traffic is properly classified from RR to 7600 in both directions.
The CPU stayed fairly low on PE, so if traffic is properly classified, how
is it possible for router to drop BGP control plane?
If input queues are an issue, shouldn't default SPD configuration take care
of that on 7600?
How to make sure this doesn't happen again?
Regards
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list