Simultaneous DDoS attacks caused by a large number of connections, resulting in a transceiver outage, a large area of user time out of the line

A period of time a customer changed to the telecom Netcom automatic routing (of course, and this does not have a relationship, but the customer generally has no analysis ability, will think), the user often large area drop line, the user is more than 180, online up to more than 120, very distressed, originally helped its maintenance of technical personnel, but after remote diagnosis, came a sentence There's no problem with routing, and I'm not going to talk anymore.

As we all know, Wayos router, is the boot read configuration file, so there is no damage to the argument, if the damage is generally a loss of configuration files, resulting in a loss of configuration, or system file corruption, resulting in the inability to boot. So I say to the technician who has a problem with routing, forcing BS ...

Let me give you an analysis of my thoughts on how to deal with the problem:

1, first drop the line when there is the following log, is the DDoS has a large number of attack packets, the user time out of the line

2, see this problem, the head is big, but we need to use the fact to speak, so we grab the bag ...

I turned on the main switch mirroring mode, grasping the main interface data, so as to ensure that all the user's data, so as to facilitate the analysis

3, waited for about 3 hours, when I was ready to give up, suddenly the user again abnormal fall off the line ... At this time the clutch software is also jammed ....

I know that at this time a large number of packet attacks caused the computer to be unable to respond ... So now I can only wait.

4, probably waited for half an hour or so, the software response came ... So I saw the packet. Before it is processed.

Because the file is too big, too much card to wait too long, so lazy

5, in fact, before catching the packet, I was to recommend the user to replace the backbone of all thousand m, including thousands of M switch module. Although it may be possible to solve the problem, but users need to add too much cost, which for more than 100 users of the customer, normal is unacceptable.

6, after catching the packet, also based on the type of attack, the relevant policy settings, observed one day, wood has found the problem again ...

7, after this attack problem, I found hundred m NetLink transceiver, is really too rubbish. A lot of data connection, he hung up first ... Jump directly. But the advantage is that the route is not hanging and you can see the attack data

or more than 600,000 of a second packet attack, I believe D525 is unacceptable

Simultaneous DDoS attacks caused by a large number of connections, resulting in a transceiver outage, a large area of user time out of the line