> On Fri, Jul 03, 1998 at 07:25:00PM -0400, Jordyn A. Buchanan wrote:
> > I don't get it. A Smurf attack is just packets, right? I've seen our 3640
> > handle a whole lot more than a saturated T-1 worth of packets. In fact,
> > the one time we were smurfed, the line that got toasted was running into a
> > 2501, and its processor was able to handle the load, the line just sat
> > maxed out for a while... (We even got legitimate packets through now and
> > then, but they were an unfortunately small part of the total flow...)
> >
> > What is it about a smurf attack that makes it CPU-intensive?
>
> Lots of little packets. The 3600 series starts to choke when you have
> more than 1000 packets on a single interface. Imagine my surprise during
> one such attack and have the Cisco engineer suggest a 7500 to me. On
> two T1's! I've seen it hit at 3000 packets/s - you can forget about any
> response time. CPU at 99%, etc.
A smurf attack is forged ICMP echo-requests to the broadcast address.
Depends, were you the target, or where you the intermediary? You will
need to trace the traffic to find out. You should definitely turn off
directed broadcasts on your 3640.
A 3640 is rated to handle 50 kpps. But you need to make sure the router
doesn't bury itself (over buffering) when interfaces get maxed.
> Our 3640 handles our two T1's with tons of heavy filters and traffic
> shapping just fine too, as long as that packets/s rate is low.
>
> Tim
> -
Tom
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>