[AusNOG] 10G routing

Ben ben at meh.net.nz
Sat Feb 8 19:25:42 EST 2014 

That looks like the problem.  Remove that and try disabling connection tracking and see if it takes it.

Ben.

On Sat, Feb 08, 2014 at 09:49:29AM +1100, Michael Marklew wrote:
> Yes. Apart from rate limiting I had something similar to this in place - http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking
> 
> FYI: It had been handling 60k+ pps with sustained 200+ Mbps for some weeks and 0-3% CPU load.
> 
> Not really a big deal considering it's specks.
> 
> Tom Berryman suggested the logging may have crashed it. The DDOS trigged some logging so this is possibly the problem. I will adjust and wait for the next DDOS.
> 
> On 8 Feb 2014, at 9:23 am, Ben <ben at meh.net.nz> wrote:
> 
> > were you storing state?  i'd be disconcerted if it can't handle 250 megabit of traffic of any kind.
> > 
> > if state tables overflow then you can lose connection to devices.  
> > 
> > Ben.
> > 
> > On Sat, Feb 08, 2014 at 09:12:04AM +1100, Michael Marklew wrote:
> >> 1:09 am and my Cloud Core (CCR1036-12G-4S) was taken down by a 250Mbps plus DDOS to an end user. Now it is non-resposnive and I have to make a weekend trip into the data centre.
> >> 
> >> I put it in front of my Cisco 7200 series only a few weeks ago so I could do some QoS on my main feed. It has been working well and I have been patting myself on the back because I saved $20k on the appropriate Allott Net Enforcer or some such.
> >> 
> >> My backup BGP path is via another 7200 and other then being very slow it managed when the traffic switched.
> >> 
> >> So it would appear the CCR1036-12G-4S has less routing power then an old Cisco 7200 VXR, although the Mikrotik was doing some rate limiting and fire walling (to block DDOS) for that matter.
> >> 
> >> I love the Mikrotik gear, I love it's price and I love it's flexibility. Shame. Now to decide if I should put a managed power rain in so I can reboot it remotely or just get rid of it.
> >> 
> >> Kind Regards,
> >> Michael.
> >> 
> >> On 7 Feb 2014, at 3:05 pm, Matt Perkins <matt at spectrum.com.au> wrote:
> >> 
> >>> Google mikrotik cloud core.
> >>> 
> >>> Matt.
> >>> 
> >>> 
> >>> On 7/02/14 1:25 PM, Alex Samad - Yieldbroker wrote:
> >>>> Hi
> >>>> 
> >>>> Q)  am I being unrealistic to think I should be able to get 10Gb/s routing/firewall in a vm? (or cheap hardware solution)
> >>>> 
> >>>> I know there are very expensive Big name boxes out there, but I am wondering what other people are thinking / using.  I guess I am not thinking core telco stuff but more for business end user.
> >>>> 
> >>>> I have had a bit of a test of the current soft routers and love interfaces, love the price (not so much the brocade vr5400..)
> >>>> 
> >>>> Did some testing of a home built centos 6.5 box  I was able to get up to  8Gb/s  routed and firewall rules in place, but writing a system to manage it I have better things to do :)
> >>>> 
> >>>> My general feel currently is they are not ready yet, trying to get up over 1Gb/s was rather hard..  General feel on yvos was it should work out of the box ...
> >>>> 
> >>>> My next question
> >>>> 
> >>>> Any one played with one of these
> >>>> CCR1036-8G-2S+: 36core Cloud Core Router with 8GbE 2x 10Gbe SFP
> >>>> 
> >>>> They say they can get 28Gb/s routed with firewall rules in place ....
> >>>> 
> >>>> Thanks
> >>>> 
> >>>> 
> >>>> 
> >>>> _______________________________________________
> >>>> AusNOG mailing list
> >>>> AusNOG at lists.ausnog.net
> >>>> http://lists.ausnog.net/mailman/listinfo/ausnog
> >>> 
> >>> 
> >>> -- 
> >>> /* Matt Perkins
> >>>       Direct 1300 137 379     Spectrum Networks Ptd. Ltd.
> >>>       Office 1300 133 299     matt at spectrum.com.au
> >>>       Fax    1300 133 255     Level 6, 350 George Street Sydney 2000
> >>>       SIP 1300137379 at sip.spectrum.com.au
> >>>       PGP/GNUPG Public Key can be found at  http://pgp.mit.edu
> >>> */
> >>> 
> >>> _______________________________________________
> >>> AusNOG mailing list
> >>> AusNOG at lists.ausnog.net
> >>> http://lists.ausnog.net/mailman/listinfo/ausnog
> >> 
> >> _______________________________________________
> >> AusNOG mailing list
> >> AusNOG at lists.ausnog.net
> >> http://lists.ausnog.net/mailman/listinfo/ausnog

More information about the AusNOG mailing list