Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 7204VXR can't handle a 100mbs DDOS?

Hi, I have actually 2 Cisco 7206 and 1 Cisco 7204 VXR routers with 256mb of ram in each running ios 12.3.

The 7204 has a NPE300 processor with an additional fastethernet card in it. It has a 100mbs link from our ISP provider, which comes in on f0/0 and lan side is f1/0.

The router is running BGP with the other two, (other two are different providers). Now my question is this. We are a datacenter that provides bandwidth for our clients, and sometimes our clients get hit with a DOS/DDOS attack. When that happens our router cpu load hits 100% and our link is saturated. We usually have about 70-80mbs outbound and 30mbs inbound of traffic on it at any given time.

Recently we put a 2.4ghz freebsd transparent bridge firewall in front of the router to help detect and null route an ip which works quite well.

My question is however, why does the router cpu load spike to 100% when getting doss, the line traffic drops to like 2-3mbs or 0 for out, and the packet rate drops from say 30000packets/sec per interface to like 5000packets/sec per interface.

Now I null route the ip: ip route ip /32 null 0

which usually let's good traffic start to flow again, but the router load is at 90-100% still.

When I run show process it doesn't show anything high at all. IP input is high at 1% and arp is sometimes at 1%, and bgp scanner every now and then is 20% but nothing to keep it pegged at 100%.

If we null route the IP on the firewall box infront of it, then the router load drops back down to 50% normal.

Can't a Cisco 7206 handle this simple null route?

Last clearing of "show interface" counters 11:42:47

Input queue: 5/75/22/3721 (size/max/drops/flushes); Total output drops: 204

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 18009000 bits/sec, 16208 packets/sec

5 minute output rate 61364000 bits/sec, 12475 packets/sec

943042292 packets input, 3139117190 bytes

I have literally nothing in my configuration either, just basic bgp commands, some gateways for the lan and that's it. No logging. I do have ip accounting so i can see the ip being attacked, but that's it.

Please any suggestions?!

Thanks,

-GK

8 REPLIES
Bronze

Re: Cisco 7204VXR can't handle a 100mbs DDOS?

Tests performed by people other than me indicate that an NPE300 maxes out at anywhere between 100Mbit/s and 350Mbit/sec depending on packet size (smaller packets = lower bandwidth, in general).

So if you're link-saturating DOS attacks are via small packets, it's not surprising that the router chokes. A null route really doesn't help the router any from a performance standpoint (to my knowledge) -- it still has to route the packet. That there isn't a process in 'show process cpu' that is showing a lot of CPU usage indicates that the CPU usage is due to interrupts, which generally means packet forwarding. See http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00801c2af0.shtml

IP Accounting probably isn't helping things, but I don't know what the performance inpact is on the 7200 series. I'm assuming CEF is enabled.

If 100Mbit+ DOS attacks are common enough that this is a major problem, you may want to either upgrade the router or look into some of these dedicated DOS-protection devices that are floating around these days.

New Member

Re: Cisco 7204VXR can't handle a 100mbs DDOS?

Dos attacks are usually once a week. I work for a datacenter and we host irc servers that do get attacked.

We have another Cisco 7206vxr with a 700mhz cpu engine and it seems to handle a dos much better.

We are thinking of upgrading to either a GSR12008 or a Cisco 6508. I'm not sure which way to lean. basically we are going to ahve 3-4 1gbs providers coming in, and we need a core switch so we can uplink with gigabit fiber to the core switch from our cisco 5000 switches. We have about 4 of them and a total of 600 servers/clients.

Can the Cisco 6506/9 handle multiple 1gbs providers and act like a core switch? and full bgp tables from each providers? I'd also like to do some policy based routing as we want certain subnets to go thru certain providers only.

I am just unsure which is a better option to take in case of a DOS attack. Can the ciso 6509 handle it? Normally we just null route the ip that's being doss'd. I'm not familiar with either of these equipment, any suggestions or questions you have please let me know.

Current config:

R R R

\ | /

Core Switch

|

Switch

|

Switch

etc..

basically I would combine the core switch + routers into one with the cisco 6509 for now. Also I'd need to put proboly 300 gateways onto it for the clients as we have a /19 broken up into smaller /29/28/27/26 subnets.

Thanks

Bronze

Re: Cisco 7204VXR can't handle a 100mbs DDOS?

If all the core switch's links are Ethernet (including the ISP links), I'd probably lean towards a 6509 offhand. But if there will be WAN connections you may have to go with a pure router like a 12000, as they tend to be more WAN-capable relative to layer-3 switches.

A 6509 can easily handle three 1Gbit ISP links. I don't have any hands-on with the 12000 series but I suspect it can as well. You may want to contact Cisco's sales department to help you out with product selection.

New Member

Re: Cisco 7204VXR can't handle a 100mbs DDOS?

Yes. All connectivity is going to be handed off with fiber gigabit or 100mbs links to us. I am still not sure how well a 6509 can handle BGP as a "core router" so to speak with all those providers. Also for handling a dos attack if it's as good or better then a GSR12008.

Thanks

New Member

Re: Cisco 7204VXR can't handle a 100mbs DDOS?

A 6509 handles BGP with full routing tables just fine. But note that Sup2/MSFC2/PFC2 can *not* handle full routing tables combined with uRPF (ip verify unicast reverse-path). A 6509 is also very good for handling DoS attacks, since packet filtering is done in hardware. With the GSR, packet filtering capabilities vary depending on the type of line cards you use.

New Member

Re: Cisco 7204VXR can't handle a 100mbs DDOS?

Is ip verify unicast reverse-path very important?

I'll try to find out what i means exactly. I am leaning towards the 6509 solution since it seems a bit cheaper then going with a GSR for the amount of gigabit ports i will need. Also the advantages of using it as a core switch seems really good.

Would a Supervisor Engine 1A PFC MSFC2 be enough to handle l2/3 routing switching as i need. Or would I need a Supervisor Engine 2 Policy Feature Card 2 (PFC2) Multilayer Switch Feature Card 2 (MSFC2) ?

Thanks.

Bronze

Re: Cisco 7204VXR can't handle a 100mbs DDOS?

Reverse-path forwarding is more important for ISP routers than anything else. It's one of the more elaborate methods of helping to prevent the forwarding of packets with spoofed source addresses. In a data center environment you can generally get away with standard ACLs to accomplish this.

It sounds like your primary concern with a 6509 is going to be your desire to have the device accept full BGP tables from 4 providers. I doubt a Sup1A could handle this (128MB of memory max) -- you'll probably want a Sup2 at least, with 256MB of memory. But depending on what your network's expected growth is over the next few years, a Sup720 might at least be worth considering.

New Member

Re: Cisco 7204VXR can't handle a 100mbs DDOS?

Ya I just realized the sup1a limit for memory, so it woulnd't handle the bgp from 4 providers. So Sup2 looks like it. THe location I am in won;'t have more then proboly 5-6gbs of connectivity. Ya I was thinking of using access lists to permit only traffic that's sourced or destined for our network to elminate spoofing.

Thank you all for your information. It is really helping me decide. So far looks like 6500 is in the lead! :)

444
Views
0
Helpful
8
Replies
CreatePlease to create content