[55152] in North American Network Operators' Group
Re: DOS?
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Sat Jan 25 14:14:37 2003
Date: Sat, 25 Jan 2003 19:07:01 +0100 (CET)
From: Iljitsch van Beijnum <iljitsch@muada.com>
To: Rob Thomas <robt@cymru.com>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <ROTMAILER.0301250935250.24333-100000@dragon.sauron.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, 25 Jan 2003, Rob Thomas wrote:
> ] access-list 150 deny udp any any eq 1434 log-input
> Be _very_ careful about enabling such logging. Some of the worm flows
> have filled GigE pipes. I doubt you really want to log that; Netflow
> is a better option in this case. Too much logging will raise the CPU
> utilization to the point of creating a DoS on the router.
As a general rule, yes. But:
" Access list logging does not show every packet that matches an entry.
Logging is rate-limited to avoid CPU overload. What logging shows you is
a reasonably representative sample, but not a complete packet trace.
Remember that there are packets you're not seeing.
Access lists and logging have a performance impact, but not a large one.
Be careful on routers running at more than about 80 percent CPU load, or
when applying access lists to very high-speed interfaces. "
( http://www.cisco.com/warp/public/707/22.html )
There doesn't seem to be a noticable impact on CPU usage for a C12000
GigE linecard. Can you do Netflow rather than CEF on such a beast
without a performance penalty?
