And how would I do that?
Yes I know, I think that is a VL feature, and my radio is not VL.
If I were able to limit the PPS then that would solve the problem.
But technically why should I have to limit the PPS, because the radios
themselves are no where near getting saturated by the amount of PPS
currently going through.
What is getting saturated is the HDD based XEON rotuers.
My point here is that a XEON base GB router should not be able to handle
less PPS than a 100Mhz Pentium based Radio.
I should be able to tweak our Linux configuration to solve the problem and
allow the Linux box to run optimally without risk.
Lastly, what is the appropriate PPS limit that would not compromise a
custoemr's traffic?
Tom DeReggi
RapidDSL & Wireless, Inc
IntAirNet- Fixed Wireless Broadband
----- Original Message -----
From: "Marty Dougherty" <[EMAIL PROTECTED]>
To: "'WISPA General List'" <[email protected]>
Sent: Sunday, January 07, 2007 8:24 AM
Subject: RE: [WISPA] SSH DOS Killing Linux
"The infected sub was
bandwidth managed with HTB to 256k cir, 1 mbps mir, but not anything for
PPS."
Tom- Why don't you just limit the number PPS at the customers radio?
Marty
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Tom DeReggi
Sent: Saturday, January 06, 2007 9:27 PM
To: WISPA General List
Subject: [WISPA] SSH DOS Killing Linux
We recently had a really nasty DOS attack that took down a large part of
our
network across several cell sites, from the infected client all the way
to
the Internet transit.
Take note that we identified the problem quickly and cured it quickly.
But.... This is the first time that this has occured in 5 years, as we
have
a good number of smart design characteristics that have limited the
effects
of most viruses on our network. We stopped the attack, by blocking SSH
to
the infected sub. The average amount of traffic crossing the entire
network
path from the client to the Internet was about 500 kbps on average.
(This
was a 20 mbps wireless link, and a 100mbps fiber trnasport link to the
transit.). The two routers were a P4 2Ghz, and a Dual XEON 2.2Ghz w/
10,000rpm SCSI3. The damage was that the CPU was nailed on both routers
to
about 99.9% using "TOP" to monitor stats. We varified that successful
SSH
sessions were not made directly to the protected routers themselves.
Take
note that the wireless links were barely effected, it was the router 2
hops
away (Dual XEON) that got over loaded the most. Our routers have been
tested to pass over 2 gbps of throughput easilly. And have been load
tested
to survive very small packets and high PPS adequately. The infected sub
was
bandwidth managed with HTB to 256k cir, 1 mbps mir, but not anything for
PPS. So I'm looking for reasons that the CPU got overloaded. My theory
is
that the DOS attack resulted in a large number of disk writes, ( maybe
logging?) causing the CPU saturation. I've had a hard time locating the
cause. And have not discovered which virus yet, although I should have
more
info soon from my clients.
So my question....
What needs to be done on a Linux machine to harden it, to protect
against
CPU oversaturation, during DOS attacks?
What should and shouldn't be logged? Connection Tracking? Firewall
logging?
Traffic stats?
Tom DeReggi
RapidDSL & Wireless, Inc
IntAirNet- Fixed Wireless Broadband
--
WISPA Wireless List: [email protected]
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
--
WISPA Wireless List: [email protected]
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
--
WISPA Wireless List: [email protected]
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
