[157337] in North American Network Operators' Group
Re: Attacking on Source Port 0 (ZERO)
daemon@ATHENA.MIT.EDU (Ryan Malayter)
Mon Oct 15 21:57:48 2012
From: Ryan Malayter <malayter@gmail.com>
In-Reply-To: <AF95E30D-3B1F-492E-9016-901C3BB9065F@arbor.net>
Date: Mon, 15 Oct 2012 20:57:24 -0500
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Oct 14, 2012, at 9:02 PM, "Dobbins, Roland" <rdobbins@arbor.net> wrote:
>=20
> Hopefully, you have hardware-based edge devices, not just software-based d=
evices and (awful) stateful firewalls - the days of software-based devices o=
n the Internet were over years ago.
Software forwarding is usually only a problem if you have the $5 CPU that Ci=
sco puts in their $30K boxes.
The overwhelming majority of edge connections are <=3D1Gbps. A modern x86 ca=
n handle several of these connections *per core* at minimum packet sizes wit=
h stock Linux/BSD, including ACLs.
10G+ forwarding with minimum packet sizes is possible on a single core using=
optimized kernels (see Intel DPDK and PF_RING DNA).
You don't need to handle more packets than you can possibly receive over you=
r interfaces.=
