North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: NAP/ISP Saturation WAS: Re: Exchanges that matter...
> I think that there's some lack of clarity on the problem here. Anyone can > stream packets at ANY router and take it down. If it's not ICMP, you can > simply forge routing protocol packets. It's a question of simply > supersaturating the system. To truly deal with DoS attacks, there are > basically three approaches: Indeed. For instance SYN-flood the BGP port. > 1) Throw money at the problem. Build a big box that has enough processor > to deal with the incoming bandwidth for pessimal packets. Even then, the > bad guys can simply supersaturate the incoming bandwidth. > > 2) Deal with it statistically. For example, most folks for the recent syn > attacks will drop syns if they don't complete reasonably, thereby allowing > some percentage of real traffic to get through. > > 3) Deal with it legally. This is what the telco's do. It implies that we > would need real mechanisms for tracking down offenders. Can I have 2(a) - deal with it statistically and intelligently. TCP/IP stacks which have got far greater public flak than Cisco's (Solaris 2.4 for instance) do not die when sent 128kb/s of ICMP. As I understand it 11.1 allows access lists based on icmp packet type, and this filtering is already done off CPU. So "all" the CPU has to do is block ICMPs from particular hosts, or (even) ICMP at all, if it is being flooded. > As to what cisco will do, you should probably ask cisco. I did. They said "the problem doesn't exist". I am circulating the problem (before, like SYN flods, it becomes a serious operational problem) to those with larger annual Cisco spend than me. Background to bug: We discovered this when we had 2 telco lines running in parallel and wanted to check the performance of one from a host behind one router, and had no hosts of our own behind the other router. Naively we thought pinging the other (NAP) router would be a good test with our stochastic bandwidth modeling tool, which is based on ICMP. Rather an unpleasant thing happened to our transit. Just wait until someone decides you should measure your ISPs performance by running ping -s 1000 mae-east.sprintlink.net (8kb/s). Now get 16 people doing it at once, and ... Alex Bligh Xara Networks - - - - - - - - - - - - - - - - -