Igmp (D)DoS killing CPU 1

[jonas21]

Hi,

i've got a problem regarding IGMP DDoS Attacks:
(tcpdump output)
10:39:59.608340 55.178.227.218 > xxx: igmp-4 [tos 0xf,CE]
10:39:59.617338 136.232.158.203 > xxx: igmp-6 [tos 0xc]
10:39:59.626267 70.114.236.149 > xxx: igmp-7 [tos 0xf,CE]
10:39:59.635194 190.12.41.19 > xxx: igmp-4 [tos 0x2,ECT(0)]
10:39:59.647166 106.91.105.123 > xxx: igmp-2 [tos 0x9,ECT(1)]
10:39:59.656299 162.93.40.68 > xxx: igmp-7 [tos 0x1,ECT(1)]
10:39:59.665362 48.147.73.199 > xxx: igmp-8 [tos 0xb,CE]
10:39:59.674391 31.62.69.44 > xxx: igmp-2 [tos 0xe,ECT(0)]
10:39:59.684520 54.216.58.225 > xxx: igmp-8 [tos 0xb,CE]
10:39:59.693458 167.253.177.173 > xxx: igmp-4 [tos 0x4]
10:39:59.702409 181.235.107.133 > xxx: igmp-2 [tos 0x11,ECT(1)]
10:39:59.711948 52.185.187.15 > xxx: igmp-1 [tos 0xb,CE]
10:39:59.720851 16.183.148.246 > xxx: igmp-6 [tos 0x3,CE]
10:39:59.729717 160.162.91.133 > xxx: igmp-7 [tos 0x2,ECT(0)]
10:39:59.741658 45.49.181.87 > xxx: igmp-1 [tos 0x8]


The probleme here is not the bandwidth (its only like 40Mbps) but rather the very very high cpu utilisation. It did eat almost 100% last time i could get into the router.
Now the question is either to get this filtered by our upstream or doing it ourselves (if that is even possible without killing the cpu even more).

Any suggestions?

Regards,
Jonas

 

[routerman]

Can you get your ISP to either block IGMP or rate limit it using CAR? This would be the best approach, no point sending these packets across your WAN link even if you have the bandwidth.

If this isnt possible your could try try routing the destination address 224.0.0.1 to null 0, so long as you dont need those packets? This can be a more efficient way of dumping packets, depending on your current router set up.

Also try enabling Nagle on your router, may help your telnet sessions during the high CPU peaks.
`Service Nagle' to turn it on.