Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DOS?

  • From: Christopher L. Morrow
  • Date: Sat Jan 25 16:24:27 2003


On Sat, 25 Jan 2003, Iljitsch van Beijnum wrote:

>
> On Sat, 25 Jan 2003, Rob Thomas wrote:
>
> > ] access-list 150 deny udp any any eq 1434 log-input
>
> > Be _very_ careful about enabling such logging.  Some of the worm flows
> > have filled GigE pipes.  I doubt you really want to log that; Netflow
> > is a better option in this case.  Too much logging will raise the CPU
> > utilization to the point of creating a DoS on the router.
>
> As a general rule, yes. But:
>
> " Access list logging does not show every packet that matches an entry.
> Logging is rate-limited to avoid CPU overload. What logging shows you is
> a reasonably representative sample, but not a complete packet trace.
> Remember that there are packets you're not seeing.

either way, the logging for this, ESPECIALLY with log-input, is a
dangerous proposition. One thing to keep in mind is that the S-train
platforms are different in handling logging than the normal trains... so
S-train rate-limits (and bumps out them annoying messages about
rate-limited messages) while others punt as much to the route processor as
possible and happily saturate it :( (Don't log on like a 7500 for instance
if the packet rates are over like 5kpps...)

>
> Access lists and logging have a performance impact, but not a large one.
> Be careful on routers running at more than about 80 percent CPU load, or
> when applying access lists to very high-speed interfaces. "
>

right, or on platforms not built to scale :) (like 7500 or smaller boxen)

> ( http://www.cisco.com/warp/public/707/22.html )
>
> There doesn't seem to be a noticable impact on CPU usage for a C12000
> GigE linecard. Can you do Netflow rather than CEF on such a beast
> without a performance penalty?
>

One thing to keep in mind is that perhaps you don't care about the logging
:) Just drop it and make your customers fix their borked boxes...



  • Follow-Ups:
  • References:


Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.