Re: [long] Re: DDoS: CAR vs TCP-Intercept vs NetFlow

[Richard Steenbergen <ras () above net>]

On Tue, Feb 29, 2000 at 12:06:02AM -0300, Rubens Kuhl Jr. wrote:
> > Other stuff: NetFlow and CEF
> > Fun stuff.
> > Netflow: Don't think of NetFlow in any other capacity other than for
> > trace-back capabilities:
>
> Thanks for the long answer, but this question was actually on how the router
> performance impact of CAR or TCP-Intercept changes between using CEF
> switching (ip route-cache cef, default) and CEF-Flow switching (ip
> route-cache cef + ip-route cache flow). Although NetFlow impacts router
> performance a little, running CEF-Flow makes large access-list processing
> faster than just running CEF; I think some other features (IPSec ?) also
> have performance gains. I was wondering whether CAR and/or TCP-Intercept
> would have better performance with CEF-Flow.

The answer to the specific question is, NetFlow has absolutily no impact
on CAR or TCP Intercept. Committed Access Rates are based on probability
dropping of packets in a queue and has nothing to do with flows. TCP
Intercept tracks flows on its own, to my knowledge there is nothing it can
use from NetFlow.

Generally speaking, CEF will give you the best performance when dealing
with high-volume packet DoS. Flow is useful for gaining information, but
apart from access-list considerations it has another layer of information
used in switching, therefore it will be a bit slower (l3 src/dst + l4
protocol and ports as opposed to just l3 dst) for other purposes.

Be careful with flow when dealing with random src or random dst (for
example, an attack which elicits a victim system to send replies to random
destinations) attacks, or it may not help you much (as the flow cache gets
max'd).

-- 
Richard A. Steenbergen <ras () above net>  http://users.quadrunner.com/humble
PGP Key ID: 0x60AB0AD1  (E5 35 10 1D DE 7D 8C A7  09 1C 80 8B AF B9 77 BB)
MFN / AboveNet Communications Inc - Network Architect, Vienna VA