|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: DOS attack tracing
On Monday, May 09, 2005 5:49 PM, Richard wrote: > > > > On Mon, May 09, 2005 at 01:35:06PM -1000, Richard wrote: > > > > > We recently experienced several DOS attacks which drove > > > our backbone routers CPU to 100%. The routers are not > > > under attack, but the router just couldn't handle the > > > traffic. There is a plan to upgrade these routers. > > > > What kind of routers? We had problems like this with Cisco > > 7206VXRs with NPE-300s at my last job because they just > > couldn't handle the high volume of packets-per-second from > > certain types of attack. > > Oh... I guess that it would a known issue then... we have the > exactly same type of routers. Our routers normally run at 35% > CPU. What sucks is that the traffic volume doesn't have to be > very high to bring down the router. Yes, the 7206vxr with whatever processor really checks out when under any kind of real flood through it. It's big brother, the 7304-NSE100 does as well. But the 7304-NPE100 with the PXF can forward that (d)DoS very well. Even with fairly extensive ingress filters. The kick in the head is that the processors are the same price. I don't know why they even sell the NPE100... Then you can take whatever measures you like to characterize and mitigate. A combination of upstream null routing (poisoning communities), ingress filters, core null routing, and your favorite ddos mitigation equipment filtering has been very effective for us. Chris -------------------------------- Chris Ranch Director of Network Architecture Affinity Internet, Inc.
|