nanog mailing list archives

RE: DOS attack tracing

From: "Richard" <richard () o-matrix org>
Date: Tue, 10 May 2005 15:58:32 -1000

Right... I did mention that further down in my message. And yeah -
almost impossible to get much done when the CPU is pegged. I remember
a DOS attack demo where they used 7200s for the examples - almost
wanted to yell out "try pegging the CPU with lots of traffic and THEN
try to identify / null0 the destination or source".

That's the problem in our case. One of our downstream customers got the
attack. Once we disconnected them, everything became fine. I tried pretty
much everything under our control to divert the traffic, including ingress
acl to block all incoming traffic to their subnets. But every time I turn
the downstream ISP back on, our router was dead. We got a 7206VXR and 100M
Ethernet to the primary upstream. I think that the lesson is _always_ use a
router powerful enough to handle all ingress traffic at wire rate. Without
access to the router, there is nothing you can do. So we are going to switch
out the router.

Richard

Current thread:

Re: DOS attack tracing, (continued)
- - - Re: DOS attack tracing Suresh Ramasubramanian (May 10)
    - Re: DOS attack tracing Scott Weeks (May 10)
- RE: DOS attack tracing Hannigan, Martin (May 10)
  - Re: DOS attack tracing Suresh Ramasubramanian (May 10)
  - Re: DOS attack tracing Gadi Evron (May 10)
- RE: DOS attack tracing Hannigan, Martin (May 10)
- RE: DOS attack tracing Chris Ranch (May 10)
- RE: DOS attack tracing Chris Ranch (May 10)
- RE: DOS attack tracing Chris Ranch (May 10)
- RE: DOS attack tracing Chris Ranch (May 10)
- RE: DOS attack tracing Richard (May 10)
  - Re: DOS attack tracing Elmar K. Bins (May 10)