RE: DOS attack tracing

["Chris Ranch" <CRanch () Affinity com>]

On Monday, May 09, 2005 5:49 PM, Richard wrote:
> > On Mon, May 09, 2005 at 01:35:06PM -1000, Richard wrote:
> >
> > > We recently experienced several DOS attacks which drove 
> > > our backbone routers CPU to 100%. The routers are not 
> > > under attack, but the router just couldn't handle the 
> > > traffic. There is a plan to upgrade these routers.
> >
> > What kind of routers? We had problems like this with Cisco 
> > 7206VXRs with NPE-300s at my last job because they just 
> > couldn't handle the high volume of packets-per-second from 
> > certain types of attack.
>
> Oh... I guess that it would a known issue then... we have the 
> exactly same type of routers. Our routers normally run at 35% 
> CPU. What sucks is that the traffic volume doesn't have to be 
> very high to bring down the router.

Yes, the 7206vxr with whatever processor really checks out when under
any kind of real flood through it.  It's big brother, the 7304-NSE100
does as well.  But the 7304-NPE100 with the PXF can forward that (d)DoS
very well.  Even with fairly extensive ingress filters.  The kick in the
head is that the processors are the same price.  I don't know why they
even sell the NPE100...

Then you can take whatever measures you like to characterize and
mitigate. A combination of upstream null routing (poisoning
communities), ingress filters, core null routing, and your favorite ddos
mitigation equipment filtering has been very effective for us.  

Chris
--------------------------------
Chris Ranch
Director of Network Architecture
Affinity Internet, Inc.