We have a 3640 with 128M of RAM. 4 Ethernet interfaces and 4 Serial
interfaces. Two of the T1's are our upstreams multi-homed through two
national providers using BGP-4.
*ALL* the interfaces have IP directed broadcasts turned off. In
addition, there are extensive filters on *both* incoming and outgoing
traffic (anti-spoofing, no IANA ip traffic, broadcast addresses, etc.).
Recently, we added traffic shaping to ICMP traffic.
In all cases, we were the *target* of the attack. It is not trivial
to use us as a bounce point (I want to say impossible but hey, there are
very creative hackers out there)
During one such attack, I had a Cisco engineer look at the router and
he's the one that told me 1000 packets/s on the serial interface is bad
news. I've seen the router at 99% CPU utilization at various times and
the pps rate is always in direct correlation to the CPU utilizatioan.
200-500pps is pretty good. 1000 and higher and everything goes down the
toilet.
BTW, we've never lost BGP link during any attacks so I don't think
that's the issue.
There was a discussion on this in inet-access awhile back. The consensus
is that a 7x00 or higher Cisco with RSP processors are the only ones that
can deal with those packet rates effectively, even on a single T1.
Now, let's get back to how a PM3 is going to do if it was smurfed. :-)
Tim
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>