Strange we were hit today by a DDOS to one of our servers inside the network. The transfer was about 55to 60000 packets per second and we saw a 100% cpu utilization . The MT we use is 2.8ghz P4 1gb ram intel gigE 100proMT and onboard intel 10/100 and gige and 2.8.26 (its also an all intel motherboard) . This runs BGP also.
We were hardly able to work on Winbox remotely . Moreover on the 10/100 nic we got 30mbps traffic the 55000 packets per second and we coul dbarely work on the router.
Moving all traffic to the other gigE we were able to work a little with the system though cpu remained at 100%. Null routing the targeted server helped us come back in control .
What I would like to understand is how do we prevent this from happenign next time and stop these kind of disruptions, do we need to upgrade anything in the router ?
Also whats the max pps MT can do keeping in mind we do plain routing and a few (30-40) policy routes.
Over the past few years we have had some ddos attacks as well... things I've found that help:
Turn off firewall logging if possible. Logging will kill the router under a high pps load where everything is getting dropped. We we're seeing 200,000pps once and it almost handled it after turning off logging.
Limit the amount of firewall rules you have in place. Do not drop everything and then allow certain things... just allow what you need and drop the rest. Very simplistic if possible.
Do not use queues on the border router.
Do not use bgp on the firewall router.
Do not use NAT.
Create some synflood rules.
Change the connection tracking to be agressive... or just turn it off if its not needed.
Separate your border router from your core router / firewalls.
Use 64bit PCI-X intel server nics.
- Just some thoughts... results may vary.
Sam
Turn off firewall logging if possible. Logging will kill the router under a high pps load where everything is getting dropped. We we're seeing 200,000pps once and it almost handled it after turning off logging.
Limit the amount of firewall rules you have in place. Do not drop everything and then allow certain things... just allow what you need and drop the rest. Very simplistic if possible.
Do not use queues on the border router.
Do not use bgp on the firewall router.
Do not use NAT.
Create some synflood rules.
Change the connection tracking to be agressive... or just turn it off if its not needed.
Separate your border router from your core router / firewalls.
Use 64bit PCI-X intel server nics.
- Just some thoughts... results may vary.
Sam
Thanks for your reply
Is 2.9.x better / faster than 2.8.x would upgrading help in anyway given the fact we use the stock bgp and policy routes on the router.
We dont use firewall, and all logging other than system are now OFFTurn off firewall logging if possible. Logging will kill the router under a high pps load where everything is getting dropped. We we're seeing 200,000pps once and it almost handled it after turning off logging.
Limit the amount of firewall rules you have in place. Do not drop everything and then allow certain things... just allow what you need and drop the rest. Very simplistic if possible.
We do not use queues other than any defaults tht exist . We do not use NAT.
Do not use queues on the border router.
Do not use NAT.
We dont use it as a firewall its only as a gateway+border router with bgp
Do not use bgp on the firewall router.
Separate your border router from your core router / firewalls.
Could you provide some details on this
Create some synflood rules.
Where is this located ? How do u turn this off.
Change the connection tracking to be agressive... or just turn it off if its not needed.
Is 2.9.x better / faster than 2.8.x would upgrading help in anyway given the fact we use the stock bgp and policy routes on the router.