[unisog] Packetshaper

Huba Leidenfrost huba at uidaho.edu
Sat Jan 19 08:10:54 GMT 2002

We also saw something like this happen in a couple situations when someone
generated over a couple thousands flows with spoofed loopback type SRC
addresses.  Seemed like the packetshaper was thinking those Then of course
the only recourse was to bounce the box because by then you couldn't get in
to have it "fail open."  Of course then we got serious about blocking RFC
1918 type traffic.  That was a while ago now.

I apologize to you folks not interested in the packetshaper thread.
Although probably bandwidth management is an issue dear to most of us by
now.  I did find out there is a public packetshaper mailing list that
Stanford is archiving and running here:

packeteer-edu at lists.Stanford.EDU


-Huba at uidaho.edu

-----Original Message-----
From: Pete Hickey [mailto:pete at shadows.uottawa.ca]
Sent: Friday, January 18, 2002 1:19 PM
To: unisog at sans.org
Subject: Re: [unisog] Packetshaper

On Thu, Jan 17, 2002 at 03:54:52PM -0500, Steve Bernard wrote:
> Can you be more specific as to the problems that you experienced? I run
> several PS boxes and haven't noticed anything new, problem wise, since
> upgrading to 5.2.0.

We just experienced an interesting 'problem' with the it.  Still
running 5.1, but that is probably unrelated.

We had a DoS attack originating on our campus.  This attack used
forged source addresses, and these addresses were from any of the
255 on the subnet.  Now, the attack was going to a destination of
around a dozen machines.

That gives us 255 * 12 = 3060 (src,dst pairs.)  (maybe irrelevant.)

Now, each packet to each host was to a different dest port.  So
now that 3060 is multiplied by a few hundred (thousand) for the
number of sessions flowing through it.

I imagine that the packateer has to do a bit more processing with each
new session to a new port.

The net effect is that our net access slowed down to a crawl.


Pete Hickey               |                         |       VEIWIT
Communication Services    | Pete at mudhead.uottawa.CA |   Makers of
University of Ottawa      |                         |      mirrors for
Ottawa,Ont. Canada K1N 6N5|  (613) 562-5800x1008    |       dyslexics.

More information about the unisog mailing list