On Sat, 25 Jan 2003, Jack Bates wrote:
I think today's events show that CPU-based routers have no business handling anything more than 1 x 100 Mbps in and 1 x 100 Mbps out. If a box has 40 FE interfaces or 4 GE interfaces, at some point you'll see 4 Gbps coming in so the box must be able to handle it to some usable degree.
Actually, you wouldn't expect to see 4 Gbps comming in.
You wouldn't expect it, but it simply happens anyway.
That would be full saturation, which would imply serious performance degregation. Most networks that I've dealt with stick to a 70-80% saturation rule.
Unfortunately worms (or denial of service attackers) don't play nice.
In addition, many of the problems concerning this traffic weren't throughput issues. Each router has a bandwidth limitation and a pps limitation. The worst DDOS I've had to deal with didn't even show as a bandwidth spike on my circuits but exceeded the pps of the router.
That's my point: if you can exceed the router's pps while staying within the aggregate bandwidth for all ports on the box, you'll find yourself in trouble at some point.
Luckily, such attacks are easily dealt with using access-lists as the router is optimized to block more pps than it is designed to switch. This worm had both.
First of all, I don't want to have to install a filter to make a router usable again. Second, this one was easy to filter. We can't count on always being that lucky.
circuit depended on how well it dealt with the loading as different L2 protocols handle saturation differently. ATM is the ideal medium as the latency remains lower than FE or GE at peak saturation.
??? Latency is strictly a function of the average queue size, which is a function of the number of bits coming in vs the number of bits going out per unit of time. Iljitsch van Beijnum