From: Evgeny Tantsura (ivgen@castel.nl)
Date: Fri Feb 28 2003 - 12:18:30 GMT-3
In case of DDOS via more than 1 upstream you could even advertize the /32
victim's IP via IBGP and then route this IP to the Null interface.
P.S. CAR with a simple access-list will work w/o any CPU load.
P.P.S. I've never heard about upstream provider which wont stop DOS for
the customer... maybe you should look for another nice one :)
> Another technique I read on Nanog was not to block the addresses but
> route them to null0 or some other black hole. Much nicer to the CPU.
>
> Ken
>
> >>> "Casey, Paul (6822)" <Paul.Casey@o2.com> 02/28/03 02:56AM >>>
> Couldn't you use ip tcp intercept for servers network on your routers
> and ip
> verify unicast reverse-path to stop this yourself.
>
> Kind regards.
> Paul.
>
>
> -----Original Message-----
> From: Weidong Xiao [mailto:Weidong.Xiao@vi.net]
> Sent: 28 February 2003 10:08
> To: ccielab@groupstudy.com
> Subject: OT: Comman Practice Question (RE: cpu usuage high)
>
>
> Our 6509 IOS has been upgraded form 12.1(2)E to 12.1(13)E4. The cpu
> usuage
> is much better now, and I can issue "ip route TARGET-IP 255.255.255.255
> Null
> 0" or turn on strict filtering without fear. Thanks for all the
> replies.
>
> I sent a email to NANOG yesterday without success. I'd like to post it
> here,
> any reply will be appreciated.
>
> "One of our servers is being DOS attacked by a flood of 100Mb/s. Most
> of the
> traffic is with spoofed source IP, like 192.168.0.0 or others in
> Bogon
> list.
>
> I can block this kind of traffic at our border router, but the router's
> cpu
> usuage will become high.
>
> I asked our up-stream provider to stop sending traffic like that to
> us.
> Action hasn't been taken. My question is, do they have the obligation
> to do
> that if I've asked them? Is that their duty?"
>
>
> Thanks,
> Weidong
>
>
> > -----Original Message-----
> > From: Weidong Xiao
> > Sent: 25 February 2003 17:05
> > To: Chuck Church; ccielab@groupstudy.com
> > Subject: RE: cpu usuage high
> >
> >
> > Thanks Chuck, you are always helpful.
> >
> > For the purpose to off load the 6509, I issued "ip route
> > TARGET-IP 255.255.255.255 Null 0", the cpu usuage immediately
> > increased by 25%. When I took that off, the cpu usuage
> > immediatly droped. I should be able to draw the conclution
> > that something must be wrong in the IOS. Have sheuded time to
> > upgrade and I'll let you know the result.
> >
> > Cheers,
> > Weidong
> >
> >
> >
> > > -----Original Message-----
> > > From: Chuck Church [mailto:ccie8776@rochester.rr.com]
> > > Sent: 24 February 2003 19:22
> > > To: Weidong Xiao; ccielab@groupstudy.com
> > > Subject: Re: cpu usuage high
> > >
> > >
> > > It's a long shot, but you might want to try a newer IOS. I
> > > know there were
> > > some performance problems with buffers on some of the 12.1.8
> > > or so versions.
> > > Don't know if the problem existed in 12.1.2E. Might want to
> > > try 12.1.13Ex.
> > > It'll add the luxury of NBAR as well, in case you need that
> > > down the road.
> > >
> > > Chuck Church
> > > CCIE #8776, MCNE, MCSE
> > >
> > >
> > > ----- Original Message -----
> > > From: "Weidong Xiao" <Weidong.Xiao@vi.net>
> > > To: <ccielab@groupstudy.com>
> > > Sent: Monday, February 24, 2003 9:33 AM
> > > Subject: RE: cpu usuage high
> > >
> > >
> > > > Thanks.
> > > >
> > > > "sh ip bgp flap-statistics" shows nothing. bgp connection
> > is pretty
> > > stable. I used bongon BGP template as well. The interface
> > > didn't flap. The
> > > high cpu usuage happened when income traffic suddenly
> > > increased. Logs show
> > > most of the traffic go to the target.
> > > >
> > > > br1.rtr#sh ver
> > > > Cisco Internetwork Operating System Software
> > > > IOS (tm) MSFC2 Software (C6MSFC2-IS-M), Version 12.1(2)E,
> > > EARLY DEPLOYMENT
> > > RELEASE SOFTWARE (fc
> > > > 1)
> > > >
> > > > br1.rtr#sh run
> > > > ...
> > > > interface Null0
> > > > no ip unreachables
> > > > ...
> > > >
> > > > > -----Original Message-----
> > > > > From: Nawaz, Ajaz [mailto:Ajaz.Nawaz@bskyb.com]
> > > > > Sent: 24 February 2003 11:24
> > > > > To: 'Tony Huang'; Weidong Xiao; ccielab@groupstudy.com
> > > > > Subject: RE: cpu usuage high
> > > > >
> > > > >
> > > > >
> > > > > This has nothing to do with Spantree whatsover - the issues
> > > > > higlighted are related to router processes pointed out by
> > > > > Weidong Xiao below. They are IP
> > > > > Input and BGP Scanner.
> > > > >
> > > > > There is not enough information to say exactly what may be
> > > > > causing this but it could be a bug or something like BGP flap.
>
> > > > > We need to see output from
> > > > > show ver and config too for starters. If you see it again use
> > > > > show ip bgp
> > > > > flap-statistics. Does the high CPU follow an interface flap ?
> > > > >
> > > > >
> > > > > ajaz
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Tony Huang [mailto:tonyh5@hotmail.com]
> > > > > Sent: 24 February 2003 02:00
> > > > > To: Weidong Xiao; ccielab@groupstudy.com
> > > > > Subject: Re: cpu usuage high
> > > > >
> > > > >
> > > > > Hi,
> > > > > I think the frequent change of networkk status could cause the
>
> > > > > high cup usage because the switch needs to run spantree times.
>
> > > > > By issuing sh spantree
> > > > > statistics, you should be able to see which port has incured
> > > > > the change. You
> > > > > can find this by looking at the column: topology change last
> > > > > recvd. from.
> > > > > From there, you can keep tracing the source of problems.
> > > > > Hope it helps,
> > > > >
> > > > > Cheers,
> > > > >
> > > > > Tony
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Weidong Xiao" <Weidong.Xiao@vi.net>
> > > > > To: <ccielab@groupstudy.com>
> > > > > Sent: Monday, February 24, 2003 9:34 AM
> > > > > Subject: cpu usuage high
> > > > >
> > > > >
> > > > > > Hi Group,
> > > > > >
> > > > > > A cat6509 is receiving about 30Mb/s traffic from the
> > > > > Internet. Normally
> > > > > the cpu usuage is under 10%. But for the last couple of hours
> > > > > it's like below. I am wondering what kind of traffic can be so
> > > > > 'powerful', and what
> > > > > does pid 19 (see below) mean. Can anyone shed some light?
> > > > > >
> > > > > > Thanks very much,
> > > > > > Weidong
> > > > > >
> > > > > >
> > > > > > br1.rtr#sh proc cpu
> > > > > > CPU utilization for five seconds: 48%/32%; one minute: 64%;
> > > > > five minutes:
> > > > > 65%
> > > > > > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min
> > > TTY Process
> > > > > > ....
> > > > > > 19 42728104 184864569 231 16.54% 19.07% 19.36%
> > > 0 IP Input
> > > > > > ....
> > > > > > 66 175270476 1282394 136677 0.00% 1.39% 1.94% 0
> > > > > BGP Scanner
> > > > >
> > > > >
> > > > > .
> > > > >
> > > > >
> > > > >
> > >
> >
> **********************************************************************
> > > > > Information in this email is confidential and may be
> privileged.
> > > > > It is intended for the addressee only. If you have received it
>
> > > > > in error, please notify the sender immediately and delete it
> > > > > from
> > > your system.
> > > > > You should not otherwise copy it, retransmit it or use or
> > > disclose its
> > > > > contents to anyone.
> > > > > Thank you for your co-operation.
> > > > >
> > >
> >
> **********************************************************************
>
>
> ****************************************************************************************
>
> This E-mail is from O2. The E-mail and any files
> transmitted with it are confidential and may also be privileged and
> intended
> solely for the use of the individual or entity to whom they are
> addressed.
> Any unauthorised direct or indirect dissemination, distribution or
> copying
> of this message and any attachments is strictly prohibited. If you
> have
> received the E-mail in error please notify postmaster@O2.com or
> telephone ++ 353 1 6095000.
>
> *****************************************************************************************
>
With kind regards/ met vriendelijke groeten,
------------------------------------------------
E. Tantsura
Network Developer
Essent Kabelcom N.V.
Dr.van Deenweg 84
8025BN Zwolle, The Netherlands
Tel: +31-(0)38-850-7642
Fax: +31-(0)38-850-7410
Mob: +31-(0)6-290-80458
------------------------------------------------
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:39 GMT-3