Re: Arrowpoint CS-100 atack

[junior () SHIVA 6O4 NET]

Always when you see this kind of attack... take a few stats

During the attack, look at the output from
'show dos'
'show dos sum'
'show mem'

The above will show you the source of the attacks(spoofed), and memory
usage. A reboot will bring things back to normal but once the CPU is peged
again the same thing will happen.
You can also enable various syslog levels to log the source's..
But these will all be almost all spoofed, rfc-1918 address.

The arrowpoints are great in the fact that they help to
prevent SYN,Illegal Src attacks, etc. Since unlike most
loadbalacners, which will blindly loadbalance any attack(BigIP)
or use some kind of Counters(Alteons), During a regular TCP
handshake the Arrowpoint intercept the packet destin for loadbalanced
machines, spoof the connection and sends a SYN ACK back to the source
if the source does not answer back the connection is drop. This all takes
alot of CPU, and if the attack is great it will overwelm the CPU as is
in the case of what is happening to you right now.. YOU dont want to
turn this feature off, you have more other important issue's to worry
about here, since turning off these features the attack will be passed
on to your machines, which will be hammered.
You have some choices here, get a higher end arrowpoint.. CS-150??
If the load of traffic + attack will be too great for the 150, go 800,
these are modular and can be very expensive but worth all the money.
Since its modular it can grow as your network grows..

Put a firewall infront of the arrowpoint and have it deal with the attacks.
A netscreen-100(www.netscreen.net) should work fine, its a hardware/firmware
solution, and not expensive at all.

my 2 cents.

On Mon, Oct 16, 2000 at 02:39:05PM -0200, Thiago Madeira de Lima wrote:
>       Hello,
>
>       I'm experiencing a very hard/strange atack.
>
>       I run a service wich has the following arquiterute :
>
>       1 Arrowpoing CS-100
>       2 Cacheflows in one vip, wich is the website address (200.x.x.1)
>       1 Server in one vip. (200.x.x.2)
>
>       This configurations works very fine, but someone is atacking the ip
> 200.x.x.1 and then
> the arrowpoing starts saying that there's *MANY* 'Illegal Source Atack', and
> it starts to work very slow and kill all services. It stops packet fowarding
> to the servers and mark all serves as down.
>
>       I'm receiving something about 15Mbits of this strange trafig. And I couln't
> verify what it is, because the arrowpoint does not foward those packets to
> the real server nor the cache.
>
>       I looked at the Arrowpoint manual and there's nothing about how to disable
> the DOS filter, wich I think it could be an answer. Maybe the caches or the
> server could handle a little better with the problem.
>
>       My problem right now is how to identify what atack is really happening, and
> then filter the atack someplace before the arrowpoint.
>
>       Any tricks?
>
>       Thanks alot
>       Thiago