nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NAP/ISP Saturation WAS: Re: Exchanges that matter...

From: "Alex.Bligh" <amb () xara net>
Date: Fri, 20 Dec 1996 22:00:24 +0000


I think that there's some lack of clarity on the problem here.  Anyone can
stream packets at ANY router and take it down.  If it's not ICMP, you can
simply forge routing protocol packets.  It's a question of simply
supersaturating the system.  To truly deal with DoS attacks, there are
basically three approaches:


Indeed. For instance SYN-flood the BGP port.
 

1) Throw money at the problem.  Build a big box that has enough processor
to deal with the incoming bandwidth for pessimal packets.  Even then, the
bad guys can simply supersaturate the incoming bandwidth.

2) Deal with it statistically.  For example, most folks for the recent syn
attacks will drop syns if they don't complete reasonably, thereby allowing
some percentage of real traffic to get through.

3) Deal with it legally.  This is what the telco's do.  It implies that we
would need real mechanisms for tracking down offenders.


Can I have 2(a) - deal with it statistically and intelligently. TCP/IP
stacks which have got far greater public flak than Cisco's (Solaris 2.4
for instance) do not die when sent 128kb/s of ICMP. As I understand it
11.1 allows access lists based on icmp packet type, and this filtering
is already done off CPU. So "all" the CPU has to do is block ICMPs
from particular hosts, or (even) ICMP at all, if it is being flooded.


As to what cisco will do, you should probably ask cisco.


I did. They said "the problem doesn't exist". I am circulating the problem
(before, like SYN flods, it becomes a serious operational problem) to those
with larger annual Cisco spend than me.

Background to bug: We discovered this when we had 2 telco lines running
in parallel and wanted to check the performance of one from a host behind
one router, and had no hosts of our own behind the other router. Naively
we thought pinging the other (NAP) router would be a good test with our
stochastic bandwidth modeling tool, which is based on ICMP. Rather an
unpleasant thing happened to our transit. Just wait until someone decides
you should measure your ISPs performance by running
  ping -s 1000 mae-east.sprintlink.net
(8kb/s). Now get 16 people doing it at once, and ...

Alex Bligh
Xara Networks



- - - - - - - - - - - - - - - - -
Previous By Date Next
Previous By Thread Next

Current thread: