The last 2 days I've been fighting against the Nachi ICMP onslaght on a customer network.
Problem is that the "random" destination traffic seem to kill my VPNs by vendor N. CPU is consumed, probably due to trying to maintain/update route cache. Or maybe it hits it's pps limit.
Ordinary traffic req. is approx. 10 Mbit/s mixed traffic.
Worm traffic I would like to be able to handle is approx 2-3kpps.
Anyone know of any VPN boxes/routers with VPN capability that is better able to handle the onslaught? Is vendors C's boxes better than Nortel's? Is CEF going to help me? Or is the problem pps related?
Will it help to throw a bigger box at the problem?
Any advice greatly appreciated.
Regards
Magnus - Sweden
All of these cute references to "vendor c" and "vendor n" go by the wayside
when we slip and say "Nortel" or refer to "CEF". 
IMHO, if you aren't breaking an NDA, you might as well name names. If you
are breaking an NDA, using initials won't screen you from legal jeopardy...
- Daniel Golding
::shrugs::
I have a bunch of Linux/FreeSwan systems acting as site to site IPSEC
gateways, IPtables firewalling, no connection tracking... At one point I
had at least three infected sites and no problems. YMMV.
In my testing my 1.mumble gHz PIII based boxes can saturate 100mbit while
using AES. Anyone using a Linux system as a router with large (ahem bigger
than /25!) subnets should be sure to adjust the neighbor table thresholds
to avoid scanning triggered problems.
Would help to know what box you're using if you want to know whether a larger
box would help.
The last 2 days I've been fighting against the Nachi ICMP onslaght on a customer network.
Have you tried rate-limiting or blocking ICMP echo/echo/reply messages?
Worm traffic will typically follow the default route to the FW for prefixes that are not in your routing table. It can help the backbone if you null-route your aggregates while permitting traffic to flow to known more-specific prefixes that are in the RT.
Problem is that the "random" destination traffic seem to kill my VPNs by vendor N. CPU is consumed, probably due to trying to maintain/update route cache. Or maybe it hits it's pps limit.
Hard to say based on the info provided. Cache churn could be part of your problem as could CPU use do the creating of cache entires.
It doesn't take any infected PC's to bring a cache based system to it's knees.
Ordinary traffic req. is approx. 10 Mbit/s mixed traffic.
Worm traffic I would like to be able to handle is approx 2-3kpps.
Anyone know of any VPN boxes/routers with VPN capability that is better able to handle the onslaught?
IOS should be able to handle this.
CEF, which is not cache based, is strongly recommend. It will switch the packets normally at high speeds w/o the extra CPU associated with cache creating/deletion. You will need to make sure that b/w and IPSEC crypto performance isn't a limiting factor as well.
Most folks identify infected hosts by Netflow, IDS, etc. Once identified, these hosts are denied access to the network using AAA, DHCP, ACL's (as applicable) until such time as the worm has been shown to be mitigated.
PBR can also be used to divert the ICMP traffic to someplace where it can be Snifed and analyzed, etc. There is more info on mitigation on the Cisco web site.
Regards,
Bruce
Daniel Golding wrote:
All of these cute references to "vendor c" and "vendor n" go by the wayside
when we slip and say "Nortel" or refer to "CEF". 
IMHO, if you aren't breaking an NDA, you might as well name names. If you
are breaking an NDA, using initials won't screen you from legal jeopardy...
I thought the letter expressions were popular to obfuscate information for the less
knowledgeable/intelligent lurkers on the list.
Pete