On 16 Jan 2015, at 5:17, Blake Hudson via Outages wrote:
For instance, a 7600 Sup720 can become unresponsive due to a few Mbps of IP traffic with IP options hitting an ACL that punts the traffic to the CPU.
Yes, obsolete hardware generally has less TCAM resources than more modern hardware, and fewer self-protection mechanisms. There are ways to choke input queues, cause traffic to be punted, etc. even on more modern hardware (although more modern hardware has various self-protection mechanisms which can be utilized to ameliorate the effects of such traffic). And even on older hardware, there are some tricks one can do to limit this particular set of attack surfaces. But stateless filtering in front of servers isn't *conceptually* flawed; stateful filtering in front of servers *is* conceptually flawed. Any further discussion of this topic in the context of the outages community should probably take place on outages-discuss. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>