nanog mailing list archives
Re: IPSEC VPNs capable of handling worm traffic
From: Greg Maxwell <gmaxwell () martin fl us>
Date: Wed, 19 Nov 2003 21:16:07 -0500 (EST)
On Thu, 20 Nov 2003, Magnus Eriksson wrote:
The last 2 days I've been fighting against the Nachi ICMP onslaght on a customer network. Problem is that the "random" destination traffic seem to kill my VPNs by vendor N. CPU is consumed, probably due to trying to maintain/update route cache. Or maybe it hits it's pps limit. Ordinary traffic req. is approx. 10 Mbit/s mixed traffic. Worm traffic I would like to be able to handle is approx 2-3kpps. Anyone know of any VPN boxes/routers with VPN capability that is better able to handle the onslaught? Is vendors C's boxes better than Nortel's? Is CEF going to help me? Or is the problem pps related? Will it help to throw a bigger box at the problem? Any advice greatly appreciated.
::shrugs:: I have a bunch of Linux/FreeSwan systems acting as site to site IPSEC gateways, IPtables firewalling, no connection tracking... At one point I had at least three infected sites and no problems. YMMV. In my testing my 1.mumble gHz PIII based boxes can saturate 100mbit while using AES. Anyone using a Linux system as a router with large (ahem bigger than /25!) subnets should be sure to adjust the neighbor table thresholds to avoid scanning triggered problems.
Current thread:
- IPSEC VPNs capable of handling worm traffic Magnus Eriksson (Nov 19)
- Re: IPSEC VPNs capable of handling worm traffic Greg Maxwell (Nov 19)
- Re: IPSEC VPNs capable of handling worm traffic Charlie Clemmer (Nov 20)
- Re: IPSEC VPNs capable of handling worm traffic Daniel Golding (Nov 20)
- Re: IPSEC VPNs capable of handling worm traffic Petri Helenius (Nov 21)
- Re: IPSEC VPNs capable of handling worm traffic Bruce R. Babcock (Nov 20)