nanog mailing list archives
Re: DoS attacks, NSPs unresponsiveness
From: Joe Shaw <jshaw () insync net>
Date: Thu, 2 Nov 2000 11:50:07 -0600 (CST)
On Thu, 2 Nov 2000, John Kristoff wrote:
J Bacher wrote:Some suggestions:A response I get is that they won't do it because it has a negative performance impact on their routers. They blame the router vendors. Suggestion 5), someone calculate what performance penalty there is for typical router configurations when these filters are applied. Show some performance numbers that make the case for or against filtering.
You'll need to take into account the type of hardware being used, as well as the platforms ability to take 'compiled' filter lists, like what Cisco calls Turbo ACL's. Turbo ACL's require 12.0(1)T and up on the 7200-12000 platforms, and supposedly require the same time to process whether the ACL is 1 line or 100. Are there any Tier 1 providers who are using hardware less powerful than the 7200 series? Where I'm currently at, we don't use anything less powerful than the 7200VXR series, with the majority of our hardware made up of GSR's, but we're not a Tier1 provider either. Is there a significant amount of legacy gear deployed out in the Tier-1 networks? I still think my idea of having the router core logic work in a "I don't advertise network x.x.x.x, so I don't pass traffic from network x.x.x.x" manner is an ideal solution, and should work as fast as route table lookups. So far, no one has presented a case where opposite behavior is desirable. -- Joseph W. Shaw Sr. Network Security Specialist for Big Company not to be named because I don't speak for them here. I have public opinions, and they don't.
Current thread:
- Re: DoS attacks, NSPs unresponsiveness, (continued)
- Re: DoS attacks, NSPs unresponsiveness John Fraizer (Nov 03)
- Re: DoS attacks, NSPs unresponsiveness Simon Lyall (Nov 03)
- Re: DoS attacks, NSPs unresponsiveness Mark Mentovai (Nov 02)
- RE: DoS attacks, NSPs unresponsiveness rick (Nov 02)
- Re: DoS attacks, NSPs unresponsiveness Valdis . Kletnieks (Nov 02)
- Re: DoS attacks, NSPs unresponsiveness J Bacher (Nov 02)
- Re: DoS attacks, NSPs unresponsiveness Valdis . Kletnieks (Nov 02)
- Re: DoS attacks, NSPs unresponsiveness J Bacher (Nov 02)
- Re: DoS attacks, NSPs unresponsiveness John Kristoff (Nov 02)
- Re: DoS attacks, NSPs unresponsiveness J Bacher (Nov 02)
- Re: DoS attacks, NSPs unresponsiveness Joe Shaw (Nov 02)
- Message not available
- Re: DoS attacks, NSPs unresponsiveness Valdis . Kletnieks (Nov 02)
- Re: DoS attacks, NSPs unresponsiveness Ariel Biener (Nov 02)
- Re: DoS attacks, NSPs unresponsiveness dies (Nov 02)
- Re: DoS attacks, NSPs unresponsiveness Daniel Senie (Nov 02)
- Re: DoS attacks, NSPs unresponsiveness Randy Bush (Nov 02)
- Re: DoS attacks, NSPs unresponsiveness Ariel Biener (Nov 02)
- Re: DoS attacks, NSPs unresponsiveness dies (Nov 02)
- Re: DoS attacks, NSPs unresponsiveness Ariel Biener (Nov 02)
- Re: DoS attacks, NSPs unresponsiveness John Payne (Nov 03)
- Re: DoS attacks, NSPs unresponsiveness dies (Nov 03)