[4282] in North American Network Operators' Group
Re: Re[2]: SYN floods (was: does history repeat itself?)
daemon@ATHENA.MIT.EDU (Dick St.Peters)
Wed Sep 11 03:22:00 1996
Date: Wed, 11 Sep 1996 03:46:06 -0400
From: "Dick St.Peters" <stpeters@NetHeaven.com>
To: nanog@merit.edu
In-Reply-To: <199609110231.WAA05665@panix.com>
> > I have found that 2500's do not have the processor for even basic filtering
> > when sitting in front of several hundred modems. 4700's on the other hand
> > (and 7200's) have the ability to handle the job with little difficulty.
>
> Really? Is there something special about 2500s as compared to AGSes? Alec
> pointed out to me that my numbers were a bit off, but they're not off by
> that much. How much traffic was there on the 2500 that you were trying to
> use for filtering? And how many ports were in use?
I'm a small enough site to provide some numbers on 2500s. My border
router is a 2514; it checks every incoming packet to be sure the
packet doesn't claim to be from my address space, and to be sure they
_are_ from my address space, it checks every outgoing packet twice[*],
once coming into the router and again on the way out. Awhile ago
the 5-minute average input data rate was sitting at 230 Kbps and the
5-minute cpu utilization at 25%.
This router also filters all the incoming packets again as they leave
out an enet port or the second serial (T1) port. Some packets go
through a lot of other filter steps before hitting a rule allowing
them into or out of the router. Adding all this filtering doesn't
seem to have affected the cpu utilization a whole lot, although it's
been a long time since I had all filtering turned off.
[*] Filtering twice lets me delete and rewrite one filter while still
being shielded by the other. Ok, so I waste a lot of cpu - that's
part of the point: it's a mere 2500, but I have all this cpu to spare.
230 Kbps isn't much, but it's enough to ssuggest I'm going to run out
of T1 before I run out of cpu.
--
Dick St.Peters, Gatekeeper, Pearly Gateway, Ballston Spa, NY
stpeters@NetHeaven.com Owner, NetHeaven 518-885-1295/800-910-6671
Albany/Saratoga/Glens Falls/North Creek/Lake Placid/Blue Mountain Lake
First Internet service based in the 518 area code
