[AusNOG] 10G routing

Michael Marklew mike at idl.net.au
Thu Feb 13 10:54:22 EST 2014


Logging to e-mail was the problem. 

I limited logging of the DDOS event to 1 message per minute and I have suffered through several hits and the CPU stayed around 2-7% with no lockups. I only changed the logging and nothing else. Mikrotik 36core was blocking some million or so connection attempts every few seconds. Normally this would bring my 7200VXR to a crawl which is now "protected" by a Mikrotik (as funny as I am sure that sounds).

This uplink is only 250Mbps so one could assume it may sale to 1Gbps?

NB: Not that all this helps me much as this uplink still gets saturated causing slow access and packet loss, but at least it protects my internal network while the bgp 666 route takes effect.

Thank you everyone for your help and suggestions.

On 13 Feb 2014, at 10:34 am, Alex Samad - Yieldbroker <Alex.Samad at yieldbroker.com> wrote:

> Hi
> 
> Old post but I was wondering what was the diagnosis of this ?
> 
> Alex
> 
>> -----Original Message-----
>> From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Ben
>> Sent: Saturday, 8 February 2014 7:26 PM
>> To: Michael Marklew
>> Cc: AusNOG at lists.ausnog.net
>> Subject: Re: [AusNOG] 10G routing
>> 
>> That looks like the problem.  Remove that and try disabling connection
>> tracking and see if it takes it.
>> 
>> Ben.
>> 
>> On Sat, Feb 08, 2014 at 09:49:29AM +1100, Michael Marklew wrote:
>>> Yes. Apart from rate limiting I had something similar to this in place
>>> - http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking
>>> 
>>> FYI: It had been handling 60k+ pps with sustained 200+ Mbps for some
>> weeks and 0-3% CPU load.
>>> 
>>> Not really a big deal considering it's specks.
>>> 
>>> Tom Berryman suggested the logging may have crashed it. The DDOS
>> trigged some logging so this is possibly the problem. I will adjust and wait for
>> the next DDOS.
>>> 
>>> On 8 Feb 2014, at 9:23 am, Ben <ben at meh.net.nz> wrote:
>>> 
>>>> were you storing state?  i'd be disconcerted if it can't handle 250 megabit
>> of traffic of any kind.
>>>> 
>>>> if state tables overflow then you can lose connection to devices.
>>>> 
>>>> Ben.
>>>> 
>>>> On Sat, Feb 08, 2014 at 09:12:04AM +1100, Michael Marklew wrote:
>>>>> 1:09 am and my Cloud Core (CCR1036-12G-4S) was taken down by a
>> 250Mbps plus DDOS to an end user. Now it is non-resposnive and I have to
>> make a weekend trip into the data centre.
>>>>> 
>>>>> I put it in front of my Cisco 7200 series only a few weeks ago so I could
>> do some QoS on my main feed. It has been working well and I have been
>> patting myself on the back because I saved $20k on the appropriate Allott
>> Net Enforcer or some such.
>>>>> 
>>>>> My backup BGP path is via another 7200 and other then being very slow
>> it managed when the traffic switched.
>>>>> 
>>>>> So it would appear the CCR1036-12G-4S has less routing power then an
>> old Cisco 7200 VXR, although the Mikrotik was doing some rate limiting and
>> fire walling (to block DDOS) for that matter.
>>>>> 
>>>>> I love the Mikrotik gear, I love it's price and I love it's flexibility. Shame.
>> Now to decide if I should put a managed power rain in so I can reboot it
>> remotely or just get rid of it.
>>>>> 
>>>>> Kind Regards,
>>>>> Michael.
>>>>> 
>>>>> On 7 Feb 2014, at 3:05 pm, Matt Perkins <matt at spectrum.com.au>
>> wrote:
>>>>> 
>>>>>> Google mikrotik cloud core.
>>>>>> 
>>>>>> Matt.
>>>>>> 
>>>>>> 
>>>>>> On 7/02/14 1:25 PM, Alex Samad - Yieldbroker wrote:
>>>>>>> Hi
>>>>>>> 
>>>>>>> Q)  am I being unrealistic to think I should be able to get
>>>>>>> 10Gb/s routing/firewall in a vm? (or cheap hardware solution)
>>>>>>> 
>>>>>>> I know there are very expensive Big name boxes out there, but I am
>> wondering what other people are thinking / using.  I guess I am not thinking
>> core telco stuff but more for business end user.
>>>>>>> 
>>>>>>> I have had a bit of a test of the current soft routers and love
>>>>>>> interfaces, love the price (not so much the brocade vr5400..)
>>>>>>> 
>>>>>>> Did some testing of a home built centos 6.5 box  I was able to
>>>>>>> get up to  8Gb/s  routed and firewall rules in place, but writing
>>>>>>> a system to manage it I have better things to do :)
>>>>>>> 
>>>>>>> My general feel currently is they are not ready yet, trying to get up
>> over 1Gb/s was rather hard..  General feel on yvos was it should work out of
>> the box ...
>>>>>>> 
>>>>>>> My next question
>>>>>>> 
>>>>>>> Any one played with one of these
>>>>>>> CCR1036-8G-2S+: 36core Cloud Core Router with 8GbE 2x 10Gbe SFP
>>>>>>> 
>>>>>>> They say they can get 28Gb/s routed with firewall rules in place ....
>>>>>>> 
>>>>>>> Thanks
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> AusNOG mailing list
>>>>>>> AusNOG at lists.ausnog.net
>>>>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> /* Matt Perkins
>>>>>>      Direct 1300 137 379     Spectrum Networks Ptd. Ltd.
>>>>>>      Office 1300 133 299     matt at spectrum.com.au
>>>>>>      Fax    1300 133 255     Level 6, 350 George Street Sydney 2000
>>>>>>      SIP 1300137379 at sip.spectrum.com.au
>>>>>>      PGP/GNUPG Public Key can be found at  http://pgp.mit.edu */
>>>>>> 
>>>>>> _______________________________________________
>>>>>> AusNOG mailing list
>>>>>> AusNOG at lists.ausnog.net
>>>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>> 
>>>>> _______________________________________________
>>>>> AusNOG mailing list
>>>>> AusNOG at lists.ausnog.net
>>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list