Running RoS 3.24 on a RB1000. Last night one of my colocation clients downstream from the router got hit with a DDoS. The data center NOC said is was a SYN flood and ended up null-routing the target IP address (he stopped counting when source IP entries approached 5000). All is well now, but I have to wonder what was happening inside the RB. The packet count going coming into the router from upstream was not particularly high:
and the bitrate was nowhere near out of range for what the router normally handles:
But the router's CPU loading was pegged at the ceiling the whole time and there was severe latency throughout my entire client network as a result:
So a rather moderate increase in packets and bits brought the RB to it's knees. Why is this so? My config inside the RB is minimal; I'm routing traffic to about 5 dozen client VLANs, I have about six simple queues, no firewall rules and no connection tracking or logging. It seems like the RB should have been able to handle this, but it didn't. Anyone have any ideas why? The info I have from the data center network admins:
Can anyone suggest firewall rules that would help in this particular situation?I took a look at the flowstats and saw a ton of incoming SYN packets to port 80 on that IP from either ports 1024 or 3072 from the DDoS sources. I tried to ACL it out, but there were probably additional items inbound to it that flows wasn't showing me in the top 100 sources. At that point it just made sense to drop everything than keep looking for more.