[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nfr-users
Subject:    NFR/big traffic (was Re: NFRs and firewalls)
From:       Alex Pilosov <alex () pilosoft ! com>
Date:       1999-08-31 6:59:28
[Download RAW message or body]

A friend asked me to assist in the following situation:

A big regional ISP wants to do filtering of TCP SYN attack BEFORE they
reach their border routers. It is impossible to do filtering on the
routers themselves because of following reasons:
a) CPU utilization 
b) asymmetric paths (SYNACK may travel through a different router from the
one SYN came in on, and the router will assume the attack is taking place,
while nothing of that sort is actually happening).

It is necessary to do the filtering because with Cisco CEF and MLS
enabled, each TCP connection coming through router occupies memory, and in
extreme case of 10k incoming connections/second, router becomes unstable
and may crash.

Traffic in question is 5-10 uplinks each about DS3 (45Mbps) size, each may
grow to OC3 in not-so-distant future. 

One of ideas under consideration is buying a few boxes (either SPARC or
x86), installing 2xHSSI (or SONET) adapters in them, and placing them
before the router, using PPP over HSSI, with an ethernet maintenance
network to exchange SYN traffic data (number of SYNs to each IP address
incoming and outgoing). One box will be placed in front of each interface.

Assumption here is that attacks are most often directed towards one IP
address in the network, and either temporary disabling connectivity to
that IP or limiting the incoming connections/second will fix the problem.

We can either write custom code to do attack detection, installing
dynamically filters on the box itself (or remotely installing them on the
router from the box), or use NFR n-code to help us.

The questions arise:

a) does NFR support filtering on near-OC3-speed interface?

b) does NFR support PPP interfaces?

c) how easy it would be to write n-code/plugin/whatever to tally and
report every second how many SYN and SYNACK packets were sent to/from each
IP address?

d) how easy it is to write a plugin/whatever to either log into cisco
router and add an acl or tell the box itself to drop/limit such traffic?

e) Would FreeBSD or Solaris on decent hardware cope with filtering and
forwarding of 100mpbs traffic? (there wouldn't be many routes filtered).

Thank you
-alex

****************************************************************
TO POST A MESSAGE on this list, send it to nfr-users@lists.nfr.net.
TO UNSUBSCRIBE from this list, send the following text in the
message body (not subject line) to majordomo@lists.nfr.net

unsubscribe nfr-users Your-Email-Address
****************************************************************

[prev in list] [next in list] [prev in thread] [next in thread]