Hi everybody,
Does any body know what kind of attack can be come to port 0? I see such a
logs in my routers which make high cpu loads:
MYROUTERIP:0
*41.78.77.178:2816*
MYROUTERIP:0
*217.160.5.153:2816*
Thanks
If it's protocol 0, instead of port 0, it's likely a packet-flooding DDoS attack.
If it's port 0, you may be incorrectly blocking non-initial fragments. Alternately, it could represent a fragmented DDoS attack, either non-initial fragments fired directly against something on your network or as the result of a DNS reflection/amplification attack against something on your network.
The log fragment you posted doesn't provide enough detail to make an informed judgement. Also, you should not place servers behind a stateful firewall, anyways.
Hi there,
It was TCP and I think it was not a DDoS attack because the traffic was not
heavy.
But I see abnormal cpu usage (%99) in my BRAS's which are Cisco 7206 VXR.
I think it act like a warm or some attacks which cause high CPU load in
some IOS.
Thanks
But I see abnormal cpu usage (%99) in my BRAS's which are Cisco 7206 VXR.
If you haven't already configured CoPP on your BRASs, you might want to
look at deploying it. It won't solve this sort of problem, but it will
probably help:
There are many other configuration examples and documentation pages on the
web, but this one gives a good overview.
Nick
i.e., a DDoS attack.
You should configure iACLs at your edge so that random sources on the Internet can't packet your routers. Hopefully, you have hardware-based edge devices, not just software-based devices and (awful) stateful firewalls - the days of software-based devices on the Internet were over years ago.
CoPP is pretty much a wash on software-based boxes; it only really helps on hardware-based boxes. And iACLs is easier/a bigger win, anyways (though anyone using software-based boxes on the Internet in 2012 is just waiting to be zorched).
Software forwarding is usually only a problem if you have the $5 CPU that Cisco puts in their $30K boxes.
The overwhelming majority of edge connections are <=1Gbps. A modern x86 can handle several of these connections *per core* at minimum packet sizes with stock Linux/BSD, including ACLs.
10G+ forwarding with minimum packet sizes is possible on a single core using optimized kernels (see Intel DPDK and PF_RING DNA).
You don't need to handle more packets than you can possibly receive over your interfaces.
10G+ forwarding with minimum packet sizes is possible on a single core using optimized kernels (see Intel DPDK and PF_RING DNA).
Of course it isn't. You can *approach* 10gb/sec with multiple cores and minimum packet sizes, granted.
You don't need to handle more packets than you can possibly receive over your interfaces.
Yes, you do, because forwarding 64-byte packets at 'line-rate', whilst very important, isn't the only metric.
I know all about the forwarding capabilities of modern general-purpose CPUs, ring-buffers, et. al. I know what is possible, and what isn't possible. And please, no more from the Vyatta crowd, et. al. - they're like the s/Flow shouters, only more so.
Roland,