Strange we were hit today by a DDOS to one of our servers inside the network. The transfer was about 55to 60000 packets per second and we saw a 100% cpu utilization . The MT we use is 2.8ghz P4 1gb ram intel gigE 100proMT and onboard intel 10/100 and gige and 2.8.26 (its also an all intel motherboard) . This runs BGP also.
We were hardly able to work on Winbox remotely . Moreover on the 10/100 nic we got 30mbps traffic the 55000 packets per second and we coul dbarely work on the router.
Moving all traffic to the other gigE we were able to work a little with the system though cpu remained at 100%. Null routing the targeted server helped us come back in control .
What I would like to understand is how do we prevent this from happenign next time and stop these kind of disruptions, do we need to upgrade anything in the router ?
Also whats the max pps MT can do keeping in mind we do plain routing and a few (30-40) policy routes.
Over the past few years we have had some ddos attacks as well… things I’ve found that help:
Turn off firewall logging if possible. Logging will kill the router under a high pps load where everything is getting dropped. We we’re seeing 200,000pps once and it almost handled it after turning off logging.
Limit the amount of firewall rules you have in place. Do not drop everything and then allow certain things… just allow what you need and drop the rest. Very simplistic if possible.
Do not use queues on the border router.
Do not use bgp on the firewall router.
Do not use NAT.
Create some synflood rules.
Change the connection tracking to be agressive… or just turn it off if its not needed.
Separate your border router from your core router / firewalls.