subject: (Fwd) Re: Arrowpoint CS-100 atack
posted: Wed, 18 Oct 2000 14:03:41 +0100



------- Forwarded message follows -------
Date sent: Mon, 16 Oct 2000 22:49:28 -0700
Send reply to: [email protected]
From: [email protected]
Subject: Re: Arrowpoint CS-100 atack
Originally to: Thiago Madeira de Lima <[email protected]>
To: [email protected]

Always when you see this kind of attack... take a few stats

During the attack, look at the output from
'show dos'
'show dos sum'
'show mem'

The above will show you the source of the attacks(spoofed), and
memory
usage. A reboot will bring things back to normal but once the CPU
is
peged again the same thing will happen. You can also enable
various
syslog levels to log the source's.. But these will all be almost all
spoofed, rfc-1918 address.

The arrowpoints are great in the fact that they help to
prevent SYN,Illegal Src attacks, etc. Since unlike most
loadbalacners, which will blindly loadbalance any attack(BigIP)
or use some kind of Counters(Alteons), During a regular TCP
handshake the Arrowpoint intercept the packet destin for
loadbalanced
machines, spoof the connection and sends a SYN ACK back to the source
if the source does not answer back the connection is drop. This all
takes alot of CPU, and if the attack is great it will overwelm the CPU
as is in the case of what is happening to you right now.. YOU dont
want to turn this feature off, you have more other important issue's
to worry about here, since turning off these features the attack will
be passed on to your machines, which will be hammered. You have some
choices here, get a higher end arrowpoint.. CS-150?? If the load of
traffic + attack will be too great for the 150, go 800, these are
modular and can be very expensive but worth all the money. Since its
modular it can grow as your network grows..

Put a firewall infront of the arrowpoint and have it deal with the
attacks. A netscreen-100(www.netscreen.net) should work fine, its a
hardware/firmware solution, and not expensive at all.

my 2 cents.

On Mon, Oct 16, 2000 at 02:39:05PM -0200, Thiago Madeira de Lima
wrote: > Hello, > > I'm experiencing a very hard/strange atack. > >
I run a service wich has the following arquiterute : > > 1
Arrowpoing CS-100 > 2 Cacheflows in one vip, wich is the website
address (200.x.x.1) > 1 Server in one vip. (200.x.x.2) > > This
configurations works very fine, but someone is atacking the ip >
200.x.x.1 and then > the arrowpoing starts saying that there's *MANY*
'Illegal Source Atack', and > it starts to work very slow and kill all
services. It stops packet fowarding > to the servers and mark all
serves as down. > > I'm receiving something about 15Mbits of this
strange trafig. And I couln't > verify what it is, because the
arrowpoint does not foward those packets to > the real server nor the
cache. > > I looked at the Arrowpoint manual and there's nothing
about how to disable > the DOS filter, wich I think it could be an
answer. Maybe the caches or the > server could handle a little better
with the problem. > > My problem right now is how to identify what
atack is really happening, and > then filter the atack someplace
before the arrowpoint. > > Any tricks? > > Thanks alot > Thiago


------- End of forwarded message -------

generated by msg2page 0.06 on Jul 21, 2006 at 19:05:04

 search: