[65282] in North American Network Operators' Group
Re: IPSEC VPNs capable of handling worm traffic
daemon@ATHENA.MIT.EDU (Greg Maxwell)
Wed Nov 19 21:31:50 2003
Date: Wed, 19 Nov 2003 21:16:07 -0500 (EST)
From: Greg Maxwell <gmaxwell@martin.fl.us>
To: Magnus Eriksson <magnus@eriksson.mu>
Cc: <nanog@merit.edu>
In-Reply-To: <3FBBFC58.6070707@eriksson.mu>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 20 Nov 2003, Magnus Eriksson wrote:
> The last 2 days I've been fighting against the Nachi ICMP onslaght on a
> customer network.
>
> Problem is that the "random" destination traffic seem to kill my VPNs by
> vendor N. CPU is consumed, probably due to trying to maintain/update
> route cache. Or maybe it hits it's pps limit.
> Ordinary traffic req. is approx. 10 Mbit/s mixed traffic.
> Worm traffic I would like to be able to handle is approx 2-3kpps.
> Anyone know of any VPN boxes/routers with VPN capability that is better
> able to handle the onslaught? Is vendors C's boxes better than Nortel's?
> Is CEF going to help me? Or is the problem pps related?
> Will it help to throw a bigger box at the problem?
> Any advice greatly appreciated.
::shrugs::
I have a bunch of Linux/FreeSwan systems acting as site to site IPSEC
gateways, IPtables firewalling, no connection tracking... At one point I
had at least three infected sites and no problems. YMMV.
In my testing my 1.mumble gHz PIII based boxes can saturate 100mbit while
using AES. Anyone using a Linux system as a router with large (ahem bigger
than /25!) subnets should be sure to adjust the neighbor table thresholds
to avoid scanning triggered problems.
