On Thu, 20 Nov 2003, Magnus Eriksson wrote: > The last 2 days I've been fighting against the Nachi ICMP onslaght on a > customer network. > > Problem is that the "random" destination traffic seem to kill my VPNs by > vendor N. CPU is consumed, probably due to trying to maintain/update > route cache. Or maybe it hits it's pps limit. > Ordinary traffic req. is approx. 10 Mbit/s mixed traffic. > Worm traffic I would like to be able to handle is approx 2-3kpps. > Anyone know of any VPN boxes/routers with VPN capability that is better > able to handle the onslaught? Is vendors C's boxes better than Nortel's? > Is CEF going to help me? Or is the problem pps related? > Will it help to throw a bigger box at the problem? > Any advice greatly appreciated.
::shrugs:: I have a bunch of Linux/FreeSwan systems acting as site to site IPSEC gateways, IPtables firewalling, no connection tracking... At one point I had at least three infected sites and no problems. YMMV. In my testing my 1.mumble gHz PIII based boxes can saturate 100mbit while using AES. Anyone using a Linux system as a router with large (ahem bigger than /25!) subnets should be sure to adjust the neighbor table thresholds to avoid scanning triggered problems.