North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DOS?
On Sat, 25 Jan 2003, Jack Bates wrote: > > I think today's events show that CPU-based routers have no business > > handling anything more than 1 x 100 Mbps in and 1 x 100 Mbps out. If a > > box has 40 FE interfaces or 4 GE interfaces, at some point you'll see 4 > > Gbps coming in so the box must be able to handle it to some usable > > degree. > Actually, you wouldn't expect to see 4 Gbps comming in. You wouldn't expect it, but it simply happens anyway. > That would be full > saturation, which would imply serious performance degregation. Most networks > that I've dealt with stick to a 70-80% saturation rule. Unfortunately worms (or denial of service attackers) don't play nice. > In addition, many of > the problems concerning this traffic weren't throughput issues. Each router > has a bandwidth limitation and a pps limitation. The worst DDOS I've had to > deal with didn't even show as a bandwidth spike on my circuits but exceeded > the pps of the router. That's my point: if you can exceed the router's pps while staying within the aggregate bandwidth for all ports on the box, you'll find yourself in trouble at some point. > Luckily, such attacks are easily dealt with using > access-lists as the router is optimized to block more pps than it is > designed to switch. This worm had both. First of all, I don't want to have to install a filter to make a router usable again. Second, this one was easy to filter. We can't count on always being that lucky. > circuit depended on how well it dealt with the loading as different L2 > protocols handle saturation differently. ATM is the ideal medium as the > latency remains lower than FE or GE at peak saturation. ??? Latency is strictly a function of the average queue size, which is a function of the number of bits coming in vs the number of bits going out per unit of time. Iljitsch van Beijnum
|