North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
- From: Iljitsch van Beijnum
- Date: Sun Jan 26 03:48:54 2003
On Sat, 25 Jan 2003, Jack Bates wrote:
> > I think today's events show that CPU-based routers have no business
> > handling anything more than 1 x 100 Mbps in and 1 x 100 Mbps out. If a
> > box has 40 FE interfaces or 4 GE interfaces, at some point you'll see 4
> > Gbps coming in so the box must be able to handle it to some usable
> > degree.
> Actually, you wouldn't expect to see 4 Gbps comming in.
You wouldn't expect it, but it simply happens anyway.
> That would be full
> saturation, which would imply serious performance degregation. Most networks
> that I've dealt with stick to a 70-80% saturation rule.
Unfortunately worms (or denial of service attackers) don't play nice.
> In addition, many of
> the problems concerning this traffic weren't throughput issues. Each router
> has a bandwidth limitation and a pps limitation. The worst DDOS I've had to
> deal with didn't even show as a bandwidth spike on my circuits but exceeded
> the pps of the router.
That's my point: if you can exceed the router's pps while staying within
the aggregate bandwidth for all ports on the box, you'll find yourself
in trouble at some point.
> Luckily, such attacks are easily dealt with using
> access-lists as the router is optimized to block more pps than it is
> designed to switch. This worm had both.
First of all, I don't want to have to install a filter to make a router
usable again. Second, this one was easy to filter. We can't count on
always being that lucky.
> circuit depended on how well it dealt with the loading as different L2
> protocols handle saturation differently. ATM is the ideal medium as the
> latency remains lower than FE or GE at peak saturation.
??? Latency is strictly a function of the average queue size, which is a
function of the number of bits coming in vs the number of bits going out
per unit of time.
Iljitsch van Beijnum