On Monday, May 09, 2005 5:49 PM, Richard wrote:
On Mon, May 09, 2005 at 01:35:06PM -1000, Richard wrote:
We recently experienced several DOS attacks which drove our backbone routers CPU to 100%. The routers are not under attack, but the router just couldn't handle the traffic. There is a plan to upgrade these routers.
What kind of routers? We had problems like this with Cisco 7206VXRs with NPE-300s at my last job because they just couldn't handle the high volume of packets-per-second from certain types of attack.
Oh... I guess that it would a known issue then... we have the exactly same type of routers. Our routers normally run at 35% CPU. What sucks is that the traffic volume doesn't have to be very high to bring down the router.
Yes, the 7206vxr with whatever processor really checks out when under any kind of real flood through it. It's big brother, the 7304-NSE100 does as well. But the 7304-NPE100 with the PXF can forward that (d)DoS very well. Even with fairly extensive ingress filters. The kick in the head is that the processors are the same price. I don't know why they even sell the NPE100... Then you can take whatever measures you like to characterize and mitigate. A combination of upstream null routing (poisoning communities), ingress filters, core null routing, and your favorite ddos mitigation equipment filtering has been very effective for us. Chris -------------------------------- Chris Ranch Director of Network Architecture Affinity Internet, Inc.