IPSEC VPNs capable of handling worm traffic
The last 2 days I've been fighting against the Nachi ICMP onslaght on a customer network. Problem is that the "random" destination traffic seem to kill my VPNs by vendor N. CPU is consumed, probably due to trying to maintain/update route cache. Or maybe it hits it's pps limit. Ordinary traffic req. is approx. 10 Mbit/s mixed traffic. Worm traffic I would like to be able to handle is approx 2-3kpps. Anyone know of any VPN boxes/routers with VPN capability that is better able to handle the onslaught? Is vendors C's boxes better than Nortel's? Is CEF going to help me? Or is the problem pps related? Will it help to throw a bigger box at the problem? Any advice greatly appreciated. Regards Magnus - Sweden
All of these cute references to "vendor c" and "vendor n" go by the wayside when we slip and say "Nortel" or refer to "CEF". :) IMHO, if you aren't breaking an NDA, you might as well name names. If you are breaking an NDA, using initials won't screen you from legal jeopardy... - Daniel Golding On 11/19/03 6:27 PM, "Magnus Eriksson" <magnus@eriksson.mu> wrote:
The last 2 days I've been fighting against the Nachi ICMP onslaght on a customer network.
Problem is that the "random" destination traffic seem to kill my VPNs by vendor N. CPU is consumed, probably due to trying to maintain/update route cache. Or maybe it hits it's pps limit.
Ordinary traffic req. is approx. 10 Mbit/s mixed traffic. Worm traffic I would like to be able to handle is approx 2-3kpps.
Anyone know of any VPN boxes/routers with VPN capability that is better able to handle the onslaught? Is vendors C's boxes better than Nortel's? Is CEF going to help me? Or is the problem pps related?
Will it help to throw a bigger box at the problem?
Any advice greatly appreciated.
Regards Magnus - Sweden
Daniel Golding wrote:
All of these cute references to "vendor c" and "vendor n" go by the wayside when we slip and say "Nortel" or refer to "CEF". :)
IMHO, if you aren't breaking an NDA, you might as well name names. If you are breaking an NDA, using initials won't screen you from legal jeopardy...
I thought the letter expressions were popular to obfuscate information for the less knowledgeable/intelligent lurkers on the list. Pete
On Thu, 20 Nov 2003, Magnus Eriksson wrote:
The last 2 days I've been fighting against the Nachi ICMP onslaght on a customer network.
Problem is that the "random" destination traffic seem to kill my VPNs by vendor N. CPU is consumed, probably due to trying to maintain/update route cache. Or maybe it hits it's pps limit. Ordinary traffic req. is approx. 10 Mbit/s mixed traffic. Worm traffic I would like to be able to handle is approx 2-3kpps. Anyone know of any VPN boxes/routers with VPN capability that is better able to handle the onslaught? Is vendors C's boxes better than Nortel's? Is CEF going to help me? Or is the problem pps related? Will it help to throw a bigger box at the problem? Any advice greatly appreciated.
::shrugs:: I have a bunch of Linux/FreeSwan systems acting as site to site IPSEC gateways, IPtables firewalling, no connection tracking... At one point I had at least three infected sites and no problems. YMMV. In my testing my 1.mumble gHz PIII based boxes can saturate 100mbit while using AES. Anyone using a Linux system as a router with large (ahem bigger than /25!) subnets should be sure to adjust the neighbor table thresholds to avoid scanning triggered problems.
On Thu, 20 Nov 2003 00:27:20 +0100, Magnus Eriksson wrote
Will it help to throw a bigger box at the problem?
Would help to know what box you're using if you want to know whether a larger box would help. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
At 06:27 PM 11/19/2003, Magnus Eriksson wrote:
The last 2 days I've been fighting against the Nachi ICMP onslaght on a customer network.
Have you tried rate-limiting or blocking ICMP echo/echo/reply messages? Worm traffic will typically follow the default route to the FW for prefixes that are not in your routing table. It can help the backbone if you null-route your aggregates while permitting traffic to flow to known more-specific prefixes that are in the RT.
Problem is that the "random" destination traffic seem to kill my VPNs by vendor N. CPU is consumed, probably due to trying to maintain/update route cache. Or maybe it hits it's pps limit.
Hard to say based on the info provided. Cache churn could be part of your problem as could CPU use do the creating of cache entires. It doesn't take any infected PC's to bring a cache based system to it's knees.
Ordinary traffic req. is approx. 10 Mbit/s mixed traffic. Worm traffic I would like to be able to handle is approx 2-3kpps.
Anyone know of any VPN boxes/routers with VPN capability that is better able to handle the onslaught?
IOS should be able to handle this. CEF, which is not cache based, is strongly recommend. It will switch the packets normally at high speeds w/o the extra CPU associated with cache creating/deletion. You will need to make sure that b/w and IPSEC crypto performance isn't a limiting factor as well. Most folks identify infected hosts by Netflow, IDS, etc. Once identified, these hosts are denied access to the network using AAA, DHCP, ACL's (as applicable) until such time as the worm has been shown to be mitigated. PBR can also be used to divert the ICMP traffic to someplace where it can be Snifed and analyzed, etc. There is more info on mitigation on the Cisco web site. http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186... Regards, Bruce
Is vendors C's boxes better than Nortel's? Is CEF going to help me? Or is the problem pps related?
Will it help to throw a bigger box at the problem?
Any advice greatly appreciated.
Regards Magnus - Sweden
participants (6)
-
Bruce R. Babcock
-
Charlie Clemmer
-
Daniel Golding
-
Greg Maxwell
-
Magnus Eriksson
-
Petri Helenius