6500 and DOS

Discussion in 'Cisco' started by Gary, Aug 18, 2006.

  1. Gary

    Gary Guest

    I need to find a way to analyse DoS attacks and see where traffic is coming
    from and going to or vica-versa. We run Cat 6500's so I need something that
    will not kill the CPU of the machine which may already be stressed.

    Does the 6500 provide any mechanisms for this.

    Thanks
    Gary
     
    Gary, Aug 18, 2006
    #1
    1. Advertising

  2. Gary

    Merv Guest

    Gary wrote:
    > I need to find a way to analyse DoS attacks and see where traffic is coming
    > from and going to or vica-versa. We run Cat 6500's so I need something that
    > will not kill the CPU of the machine which may already be stressed.
    >
    > Does the 6500 provide any mechanisms for this.



    Start with Cisco doc

    Protecting the Cisco Catalyst 6500 Series Switches Against
    Denial-Of-Service Attacks

    http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper0900aecd802ca5d6.shtml


    One of the first things I would suggest is that the 6500's be migrated
    to native IOS mode.
     
    Merv, Aug 18, 2006
    #2
    1. Advertising

  3. Gary

    Gary Guest

    "Merv" <> wrote in message
    news:...
    >
    > Gary wrote:
    >> I need to find a way to analyse DoS attacks and see where traffic is
    >> coming
    >> from and going to or vica-versa. We run Cat 6500's so I need something
    >> that
    >> will not kill the CPU of the machine which may already be stressed.
    >>
    >> Does the 6500 provide any mechanisms for this.

    >
    >
    > Start with Cisco doc
    >
    > Protecting the Cisco Catalyst 6500 Series Switches Against
    > Denial-Of-Service Attacks
    >
    > http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper0900aecd802ca5d6.shtml
    >
    >
    > One of the first things I would suggest is that the 6500's be migrated
    > to native IOS mode.
    >


    Just need something to show IP being targetted inbound or outbound and by
    whom?

    Gary
     
    Gary, Aug 18, 2006
    #3
  4. Gary

    Merv Guest

    Depending on the volume of traffic one thing that can be done is to use
    the SPAN fetaure to set up a monitoring port for the interface(s) over
    which the 6500 receives Internet traffic.

    Coonect a PC with Etherreal installed and run a capture. Then use the
    analyse report that show connection endpoints.

    You could alos look at enabling NETFLOW accounting whic will show
    source and destion IP address and port numbers.
     
    Merv, Aug 19, 2006
    #4
  5. Gary

    Gary Guest

    NETFLOW osunds good. Is it a big overhead and how do I enable it.

    Gary
    "Merv" <> wrote in message
    news:...
    > Depending on the volume of traffic one thing that can be done is to use
    > the SPAN fetaure to set up a monitoring port for the interface(s) over
    > which the 6500 receives Internet traffic.
    >
    > Coonect a PC with Etherreal installed and run a capture. Then use the
    > analyse report that show connection endpoints.
    >
    > You could alos look at enabling NETFLOW accounting whic will show
    > source and destion IP address and port numbers.
    >
     
    Gary, Aug 20, 2006
    #5
  6. Gary

    Merv Guest


    > NETFLOW osunds good. Is it a big overhead and how do I enable it.



    start with
    http://www.cisco.com/en/US/products/ps6601/prod_white_papers_list.html

    I believe NETFLOW now supports sampling so you can control how much
    data it collects and thus control the associated overhead ( probably
    requires a PFC)


    Please post show version and show module for the 6500 switch facing the
    Internet.
     
    Merv, Aug 20, 2006
    #6
  7. Gary

    Gary Guest

    "Merv" <> wrote in message
    news:...
    >
    >
    >> NETFLOW osunds good. Is it a big overhead and how do I enable it.

    >
    >
    > start with
    > http://www.cisco.com/en/US/products/ps6601/prod_white_papers_list.html
    >
    > I believe NETFLOW now supports sampling so you can control how much
    > data it collects and thus control the associated overhead ( probably
    > requires a PFC)
    >
    >
    > Please post show version and show module for the 6500 switch facing the
    > Internet.
    >


    It has a Supervisor Engine 720 (Active) WS-SUP720-3BXL,
    WS-F6K-PFC3BXL, MSFC3 Daughterboard

    If you let me have the commands I can test - TIA
    Gary
     
    Gary, Aug 20, 2006
    #7
  8. Gary

    Merv Guest


    > It has a Supervisor Engine 720 (Active) WS-SUP720-3BXL,
    > WS-F6K-PFC3BXL, MSFC3 Daughterboard


    excellent !!!

    what IOS version ???
     
    Merv, Aug 20, 2006
    #8
  9. Gary

    Merv Guest

    Hopefully this will get you started

    ! Configure NetFlow on 6500

    ! 1. enable NetFlow on PFC

    mls netflow


    ! 2. config the type flow mask to be used by NetFlow

    mls flow ip full


    ! 3. display NetFlow flowmask configured

    sh mls netflow flowmask

    current ip flowmask for unicast: full
    current ipv6 flowmask for unicast: null


    ! 4. check NetFlow cache aging timers

    show mls netflow aging

    enable timeout packet threshold
    ------ ------- ----------------
    normal aging true 300 N/A
    fast aging false 32 100
    long aging true 1920 N/A



    ! 5. display NetFlow accounting infomation for traffic switched by PFC


    sh mls netflow ip any

    Displaying Netflow entries in Supervisor Earl
    DstIP SrcIP Prot:SrcPort:DstPort Src i/f
    :AdjPtr
    -----------------------------------------------------------------------------
    Pkts Bytes Age LastSeen Attributes
    ---------------------------------------------------
    5.38.7.11 223.255.254.254 tcp :45736 :telnet :0x0
    0 0 314 08:54:44 L3 - Dynamic
    5.38.7.11 5.38.0.2 udp :ntp :ntp :0x0
    0 0 527 08:54:29 L3 - Dynamic
    0.0.0.0 0.0.0.0 0 :0 :0 :0x0
    1238 58508 1817 08:54:34 L3 - Dynam





    For configuration of NetFlow sampling see :



    http://www.cisco.com/en/US/products...figuration_guide_chapter09186a0080160a2b.html
     
    Merv, Aug 20, 2006
    #9
  10. Gary

    Gary Guest

    "Merv" <> wrote in message
    news:...
    >
    > Hopefully this will get you started
    >
    > ! Configure NetFlow on 6500
    >
    > ! 1. enable NetFlow on PFC
    >
    > mls netflow
    >
    >
    > ! 2. config the type flow mask to be used by NetFlow
    >
    > mls flow ip full
    >
    >
    > ! 3. display NetFlow flowmask configured
    >
    > sh mls netflow flowmask
    >
    > current ip flowmask for unicast: full
    > current ipv6 flowmask for unicast: null
    >
    >
    > ! 4. check NetFlow cache aging timers
    >
    > show mls netflow aging
    >
    > enable timeout packet threshold
    > ------ ------- ----------------
    > normal aging true 300 N/A
    > fast aging false 32 100
    > long aging true 1920 N/A
    >
    >
    >
    > ! 5. display NetFlow accounting infomation for traffic switched by PFC
    >
    >
    > sh mls netflow ip any
    >
    > Displaying Netflow entries in Supervisor Earl
    > DstIP SrcIP Prot:SrcPort:DstPort Src i/f
    > :AdjPtr
    > -----------------------------------------------------------------------------
    > Pkts Bytes Age LastSeen Attributes
    > ---------------------------------------------------
    > 5.38.7.11 223.255.254.254 tcp :45736 :telnet :0x0
    > 0 0 314 08:54:44 L3 - Dynamic
    > 5.38.7.11 5.38.0.2 udp :ntp :ntp :0x0
    > 0 0 527 08:54:29 L3 - Dynamic
    > 0.0.0.0 0.0.0.0 0 :0 :0 :0x0
    > 1238 58508 1817 08:54:34 L3 - Dynam
    >
    >
    >
    >
    >
    > For configuration of NetFlow sampling see :
    >
    >
    >
    > http://www.cisco.com/en/US/products...figuration_guide_chapter09186a0080160a2b.html
    >


    Worked a treat!

    What is the overhead during a DoS

    Thanks
    Gary
     
    Gary, Aug 23, 2006
    #10
  11. Gary

    Simon Leinen Guest

    Gary writes:
    > "Merv" <> wrote in message
    > news:...
    >>
    >> Hopefully this will get you started
    >>
    >> ! Configure NetFlow on 6500
    >>
    >> ! 1. enable NetFlow on PFC

    [...]
    > Worked a treat!


    > What is the overhead during a DoS


    For packets forwarded by the PFC-2 and PFC-3, Netflow statistics are
    *collected* "in hardware", so enabling Netflow (even without sampling)
    won't have a negative impact on forwarding performance.

    However, table maintenance, i.e. aging out old entries, and possibly
    exporting them when NDE (Netflow export) is enabled, does use CPU
    cycles. That is particularily noticeable when there is a high number
    of flows, as is seen during aggressive port scanning or some kinds of
    DoS.

    PFC (MLS) Netflow table maintenance is mostly done by the Switch
    Processor on the Supervisor, not by the Route Processor (MSFC). NDE
    (Netflow export from the PFC) used to load the MSFC somewhat, but
    since or 12.2SXE (I think), NDE is done entirely by the Switch
    Processor.

    There is an upper limit on the amount of maintenance work for MLS
    Netflow, because the table is "walked" at a fixed rate (~32K entries
    every second, I think). Therefore I don't think you need to be
    worried that a flow-heavy DoS may bring your box down. I think there
    may be small issues for things like reading interface counters when
    the Switch Processor is heavily loaded, but everything else should
    work just fine.

    Because the PFC/MLS Netflow table has a fixed size (128K entries on
    the PFC-2/PFC-3, 256K on the PFC-3BXL), and aging out old entries is
    done on a fixed schedule, the hardware Netflow table will run full
    when there are too many flows. This just means that some packets
    cannot be accounted for in Netflow.
    --
    Simon.
     
    Simon Leinen, Aug 28, 2006
    #11
  12. Gary

    Hansang Bae Guest

    Simon Leinen wrote:
    > For packets forwarded by the PFC-2 and PFC-3, Netflow statistics are
    > *collected* "in hardware", so enabling Netflow (even without sampling)
    > won't have a negative impact on forwarding performance.
    >
    > However, table maintenance, i.e. aging out old entries, and possibly
    > exporting them when NDE (Netflow export) is enabled, does use CPU
    > cycles. That is particularily noticeable when there is a high number
    > of flows, as is seen during aggressive port scanning or some kinds of
    > DoS.


    We actually had to upgrade all our MSFC2 boxes to SUP720's because NDE
    caused the CPUs to spike to 100%. There were no impact to traffic
    being switched, but core routers running at 100% is never a good thing!

    [snip]



    --

    hsb


    "Somehow I imagined this experience would be more rewarding" Calvin
    **************************ROT13 MY ADDRESS*************************
    Due to the volume of email that I receive, I may not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Aug 29, 2006
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jeff Specoli
    Replies:
    0
    Views:
    524
    Jeff Specoli
    Dec 1, 2003
  2. Gary
    Replies:
    2
    Views:
    739
    Arnold Nipper
    Dec 2, 2005
  3. Don
    Replies:
    5
    Views:
    2,085
    °Mike°
    Feb 11, 2004
  4. Igor Mamuziæ

    IOS DoS defense causes DoS to itself:)

    Igor Mamuziæ, May 12, 2006, in forum: Cisco
    Replies:
    2
    Views:
    566
    Igor Mamuzic
    May 20, 2006
  5. Hoffa
    Replies:
    1
    Views:
    1,411
    Peter
    Jan 12, 2007
Loading...

Share This Page