From: Karsten McMinn (tenyougmail.com)
Date: Fri Jan 28 2005 - 12:28:58 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

to be more specific, cisco's nbar kept up with the traffic, but didn't
have any methods in place to fully drop the tcp session, thus the
apache server would eventually hit its compiled in limits.

On Fri, 28 Jan 2005 10:21:44 -0800, Karsten McMinn <tenyougmail.com> wrote:
> sure. The iptables box was an old amd k6-300 processor, 2.2 kernel,
> the iptables distro wasn't a new one I know that.
>
> The cisco platform was a 7204, npe400, running 12.2(18)s, using
> Cisco's NBAR code to catch requests and police/ratelimit them.
>
> -k
>
>
> On Fri, 28 Jan 2005 09:39:36 -0500, MikeM <zlistsmgm51.com> wrote:
> > On 1/27/2005 at 11:16 AM Karsten McMinn wrote:
> >
> > |I've returned to misc. Passing on some information for those that deem
> > |it useful. I've been using OpenBSD since 2.9 for many things. I also
> > |use it in the enterprise for services at an ISP also. Recently we had
> > |a small domain attract a very large scale ddos. I nominated
> > |OpenBSD+squid/pf for the job. Stripped kernel, squid compiled
> > |transparent with a large amount of file descriptors, 2nics running in
> > |bridge mode, separate webserver behind one of the nics.
> > |
> > |[snip]
> > |
> > |This machine is a old dell optiplex recovered to do a job where
> > |iptables and the best of cisco ios firewall features couldnt keep up.
> > =============
> >
> > Can you give more info on the box that ran iptables (CPU, memory), and what
> > model cisco firewalls couldn't keep up?
> >
> > Thanks.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]