6500 and DOS

I need to find a way to analyse DoS attacks and see where traffic is coming from and going to or vica-versa. We run Cat 6500's so I need something that will not kill the CPU of the machine which may already be stressed.

Does the 6500 provide any mechanisms for this.

Thanks Gary

Reply to
Gary
Loading thread data ...

Start with Cisco doc

Protecting the Cisco Catalyst 6500 Series Switches Against Denial-Of-Service Attacks

formatting link

One of the first things I would suggest is that the 6500's be migrated to native IOS mode.

Reply to
Merv

formatting link

Just need something to show IP being targetted inbound or outbound and by whom?

Gary

Reply to
Gary

Depending on the volume of traffic one thing that can be done is to use the SPAN fetaure to set up a monitoring port for the interface(s) over which the 6500 receives Internet traffic.

Coonect a PC with Etherreal installed and run a capture. Then use the analyse report that show connection endpoints.

You could alos look at enabling NETFLOW accounting whic will show source and destion IP address and port numbers.

Reply to
Merv

NETFLOW osunds good. Is it a big overhead and how do I enable it.

Reply to
Gary

start with

formatting link
I believe NETFLOW now supports sampling so you can control how much data it collects and thus control the associated overhead ( probably requires a PFC)

Please post show version and show module for the 6500 switch facing the Internet.

Reply to
Merv

It has a Supervisor Engine 720 (Active) WS-SUP720-3BXL, WS-F6K-PFC3BXL, MSFC3 Daughterboard

If you let me have the commands I can test - TIA Gary

Reply to
Gary

excellent !!!

what IOS version ???

Reply to
Merv

Hopefully this will get you started

! Configure NetFlow on 6500

! 1. enable NetFlow on PFC

mls netflow

! 2. config the type flow mask to be used by NetFlow

mls flow ip full

! 3. display NetFlow flowmask configured

sh mls netflow flowmask

current ip flowmask for unicast: full current ipv6 flowmask for unicast: null

! 4. check NetFlow cache aging timers

show mls netflow aging

enable timeout packet threshold ------ ------- ---------------- normal aging true 300 N/A fast aging false 32 100 long aging true 1920 N/A

! 5. display NetFlow accounting infomation for traffic switched by PFC

sh mls netflow ip any

Displaying Netflow entries in Supervisor Earl DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr

----------------------------------------------------------------------------- Pkts Bytes Age LastSeen Attributes

---------------------------------------------------

5.38.7.11 223.255.254.254 tcp :45736 :telnet :0x0 0 0 314 08:54:44 L3 - Dynamic 5.38.7.11 5.38.0.2 udp :ntp :ntp :0x0 0 0 527 08:54:29 L3 - Dynamic 0.0.0.0 0.0.0.0 0 :0 :0 :0x0 1238 58508 1817 08:54:34 L3 - Dynam

For configuration of NetFlow sampling see :

formatting link

Reply to
Merv

formatting link

Worked a treat!

What is the overhead during a DoS

Thanks Gary

Reply to
Gary

[...]

For packets forwarded by the PFC-2 and PFC-3, Netflow statistics are

*collected* "in hardware", so enabling Netflow (even without sampling) won't have a negative impact on forwarding performance.

However, table maintenance, i.e. aging out old entries, and possibly exporting them when NDE (Netflow export) is enabled, does use CPU cycles. That is particularily noticeable when there is a high number of flows, as is seen during aggressive port scanning or some kinds of DoS.

PFC (MLS) Netflow table maintenance is mostly done by the Switch Processor on the Supervisor, not by the Route Processor (MSFC). NDE (Netflow export from the PFC) used to load the MSFC somewhat, but since or 12.2SXE (I think), NDE is done entirely by the Switch Processor.

There is an upper limit on the amount of maintenance work for MLS Netflow, because the table is "walked" at a fixed rate (~32K entries every second, I think). Therefore I don't think you need to be worried that a flow-heavy DoS may bring your box down. I think there may be small issues for things like reading interface counters when the Switch Processor is heavily loaded, but everything else should work just fine.

Because the PFC/MLS Netflow table has a fixed size (128K entries on the PFC-2/PFC-3, 256K on the PFC-3BXL), and aging out old entries is done on a fixed schedule, the hardware Netflow table will run full when there are too many flows. This just means that some packets cannot be accounted for in Netflow.

Reply to
Simon Leinen

We actually had to upgrade all our MSFC2 boxes to SUP720's because NDE caused the CPUs to spike to 100%. There were no impact to traffic being switched, but core routers running at 100% is never a good thing!

[snip]
Reply to
Hansang Bae

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.