[11809] in North American Network Operators' Group
Re: Loadsa ICMP...
daemon@ATHENA.MIT.EDU (Edward Henigin)
Wed Aug 13 15:48:05 1997
Date: Wed, 13 Aug 1997 14:40:05 -0500
From: Edward Henigin <ed@texas.net>
To: Jon Green <jcgreen@netins.net>
Cc: nanog@merit.edu
In-Reply-To: <199708131927.OAA04988@worf.netins.net>; from Jon Green on Wed, Aug 13, 1997 at 02:27:43PM -0500
A 7513 with an RSP2 (100Mhz MIPS R4700) can process switch
around 3500 packets/sec, by my unofficial testing. People at cisco
may respond negatively to my post, but I'll refer them to two cases
I opened with TAC, neither of which were able to raise the ceiling
on how many packets can be process switched.
Cisco configuration is aimed towards fast-switching as many
packets as possible. The same box can probably fast switch a couple of
hundered thousand packets/sec or more (I have no idea, I just know it's
a lot) but if you force the box to process switch, YOU WILL KILL IT.
It will start dropping bgp sessions, etc etc, and you're toast.
One way to force a cisco to process switch is by sending
it packets that match an ACL deny.... and this latest round of
'smurfing' will send tens of thousands of packets/sec through your
router..
so access-list filtering is worse than useless, it is
destructive, when combating DoS attacks.
hence the idea of using policy-routing to filter the
smurf-attacks.
realize here that doubling (or tripling, or quadrupling) the
CPU power of the cisco will not help. Upgrading from an rsp2 to an
rsp4 would buy you about 3 times 3.5Kpps, say around 10Kpps, process
switched. That's still hardly enough to save you when you're being
smurfed.
Ed
--
On Wed, Aug 13, 1997 at 02:27:43PM -0500, Jon Green said:
>
> I'm not from a Cisco background, so forgive me, but.. What a strange
> way to configure a router. You have to configure it in a non-intuitive
> way because the intuitive way will blow up the router? I guess we should
> be thankful that IOS lets us get around hardware limitations of the box, but
> someone should really teach Cisco a concept called "SMP". Just an
> observation..
>
> -Jon
