[80705] in North American Network Operators' Group
RE: DOS attack tracing
daemon@ATHENA.MIT.EDU (Chris Ranch)
Tue May 10 11:49:02 2005
Date: Tue, 10 May 2005 11:47:05 -0400
From: "Chris Ranch" <CRanch@Affinity.com>
To: "Richard" <richard@o-matrix.org>,
"Will Yardley" <nanog@veggiechinese.net>, <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
On Monday, May 09, 2005 5:49 PM, Richard wrote:
> >=20
> > On Mon, May 09, 2005 at 01:35:06PM -1000, Richard wrote:
> >=20
> > > We recently experienced several DOS attacks which drove=20
> > > our backbone routers CPU to 100%. The routers are not=20
> > > under attack, but the router just couldn't handle the=20
> > > traffic. There is a plan to upgrade these routers.
> >=20
> > What kind of routers? We had problems like this with Cisco=20
> > 7206VXRs with NPE-300s at my last job because they just=20
> > couldn't handle the high volume of packets-per-second from=20
> > certain types of attack.
>
> Oh... I guess that it would a known issue then... we have the=20
> exactly same type of routers. Our routers normally run at 35%=20
> CPU. What sucks is that the traffic volume doesn't have to be=20
> very high to bring down the router.
Yes, the 7206vxr with whatever processor really checks out when under
any kind of real flood through it. It's big brother, the 7304-NSE100
does as well. But the 7304-NPE100 with the PXF can forward that (d)DoS
very well. Even with fairly extensive ingress filters. The kick in the
head is that the processors are the same price. I don't know why they
even sell the NPE100...
Then you can take whatever measures you like to characterize and
mitigate. A combination of upstream null routing (poisoning
communities), ingress filters, core null routing, and your favorite ddos
mitigation equipment filtering has been very effective for us. =20
Chris
--------------------------------
Chris Ranch
Director of Network Architecture
Affinity Internet, Inc.
