[outages] EDGE: Anyone seeing 100% CPU on Fortigate edge routers?
Roland Dobbins
rdobbins at arbor.net
Thu Jan 15 17:35:16 EST 2015
On 16 Jan 2015, at 5:17, Blake Hudson via Outages wrote:
> For instance, a 7600 Sup720 can become unresponsive due to a few Mbps
> of IP traffic with IP options hitting an ACL that punts the traffic to
> the CPU.
Yes, obsolete hardware generally has less TCAM resources than more
modern hardware, and fewer self-protection mechanisms. There are ways
to choke input queues, cause traffic to be punted, etc. even on more
modern hardware (although more modern hardware has various
self-protection mechanisms which can be utilized to ameliorate the
effects of such traffic). And even on older hardware, there are some
tricks one can do to limit this particular set of attack surfaces.
But stateless filtering in front of servers isn't *conceptually* flawed;
stateful filtering in front of servers *is* conceptually flawed.
Any further discussion of this topic in the context of the outages
community should probably take place on outages-discuss.
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the Outages
mailing list