North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Re[2]: SYN floods (was: does history repeat itself?)

  • From: Dick St.Peters
  • Date: Wed Sep 11 03:20:36 1996

> > I have found that 2500's do not have the processor for even basic filtering
> > when sitting in front of several hundred modems.  4700's on the other hand
> > (and 7200's) have the ability to handle the job with little difficulty.
> 
> Really? Is there something special about 2500s as compared to AGSes? Alec
> pointed out to me that my numbers were a bit off, but they're not off by
> that much. How much traffic was there on the 2500 that you were trying to
> use for filtering? And how many ports were in use?

I'm a small enough site to provide some numbers on 2500s.  My border
router is a 2514; it checks every incoming packet to be sure the
packet doesn't claim to be from my address space, and to be sure they
_are_ from my address space, it checks every outgoing packet twice[*],
once coming into the router and again on the way out.  Awhile ago
the 5-minute average input data rate was sitting at 230 Kbps and the
5-minute cpu utilization at 25%.

This router also filters all the incoming packets again as they leave
out an enet port or the second serial (T1) port.  Some packets go
through a lot of other filter steps before hitting a rule allowing
them into or out of the router.  Adding all this filtering doesn't
seem to have affected the cpu utilization a whole lot, although it's
been a long time since I had all filtering turned off.

[*] Filtering twice lets me delete and rewrite one filter while still
being shielded by the other.  Ok, so I waste a lot of cpu - that's
part of the point: it's a mere 2500, but I have all this cpu to spare.
230 Kbps isn't much, but it's enough to ssuggest I'm going to run out
of T1 before I run out of cpu.

--
Dick St.Peters,       Gatekeeper, Pearly Gateway, Ballston Spa, NY
[email protected]     Owner, NetHeaven 518-885-1295/800-910-6671
Albany/Saratoga/Glens Falls/North Creek/Lake Placid/Blue Mountain Lake
	  First Internet service based in the 518 area code
- - - - - - - - - - - - - - - - -