On Mon, Feb 28, 2000 at 10:53:41PM -0300, Rubens Kuhl Jr. wrote:
Have anyone performed an evalution of rate-limiting SYN packets (CAR) versus using TCP-Intercept ? What responds better to a DDoS attack (assume SYN-flooding only) ? What uses more router resources ?
TCP Intercept uses much more, but the concept of TCP Intercept is to enable the server to continue accepting new connections, while CAR against SYNs will most likely impact that ability significantly. TCP Intercept would not have been effective against these attacks (or any other attack large enough to be a DDoS) due to the sheer number of packets/sec involved. In reality TCP Intercept is like putting a SYN flood tuned TCP/IP stack in front of an entire network, its useful for protecting hosts which for whatever reason cannot handle any serious syn flood. Many people do not understand that there is a large factor in a SYN flood called magnitude. The earliest generation SYN floods (PANIX fame) filled simple connection queues and denied new connections with very low bandwidth required by the attacker (dialup speeds). The high speed / DDoS syn floods of today are on the order of tens or hundreds of thousands of packets/sec, and aim to completely disable the target they are attacking by using all available CPU in the kernel processing SYNs instead of doing other things. Modern PC CPUs are of a much higher power (for the price) then router CPUs, and you will probably fair much better with a p3 500 on a good FastEthernet connection and a decent OS doing intelligent dropping.
For better performance of CAR or TCP-Intercept, NetFlow switching (ip route-cache flow) should also be used, besides CEF ?
NetFlow improves performance of long access lists, it will not help CAR (which is queue based) or TCP Intercept. CEF is your best bet. -- Richard A. Steenbergen <ras@above.net> http://users.quadrunner.com/humble PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB) MFN / AboveNet Communications Inc - Network Architect, Vienna VA