Couple of things come to mind: 1. Take a packet capture to see some UDP traffic characteristics, based on which traffic rate-limiting may be configured by your upstream providers, so that this traffic doesn't saturate your pipes, and maybe the ISP can even drop it. That is if they're willing to help you. 2. As far as hardware is concerned, we're in the same boat as far as various UDP/ICMP floods, and our Juniper M10i's handle it with no issues (running multiple BGP sessions, OSPF, firewall sets/access lists). Sincerely, David Kotlerewsky, Sr. Network Engineer ------------------------------------------------- OVERSEE.NET 515 S. Flower Street, Suite 4400 Los Angeles, CA 90071 ph 213.408.0080 x1458 cell 310.350.0399 www.oversee.net dkotlerewsky@oversee.net Confidentiality Warning: this email contains information intended for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient, any dissemination, publication or copying of this e-mail is prohibited. The sender does not accept any responsibility for any loss, disruption or damage to your data or computer system that may occur while using data contained in it, or transmitted with this e-mail. If you have received this e-mail in error, please immediately notify us by return e-mail. Thank you. -----Original Message----- From: Rick Ernst [mailto:ernst@easystreet.com] Sent: Friday, December 12, 2008 10:15 AM To: nanog@nanog.org Subject: UDP DoS mitigation? We've had an increasing rate of DoS attacks that spew tens-of-thousands of small UDP packets to a destination on our network. We are getting roughly 2x our entire normal pps across all providers through one interface, or about 4x normal through the individual interface. The Cisco 7206VXR/NPE-G1 CPU melts (>95% load vs 15% average, 20% normal peak) when this hits. I'm using CEF and ip-route-cache flow on the outside interface. Unicast RPF is also enabled on the interface. Unicast RPF in conjunction with a BGP black-hole generator handles TCP attacks fairly well. Two questions: - Are there any knobs I should be turning in the Cisco config to help with mitigate this? - Are there any platforms that deal with high PPS/small packet more gracefully? We are looking at a network refresh and aren't locked into Cisco as a vendor (although our current IP network consists entirely of Cisco gear). Our current aggregate (all providers, in- plus out-bound) bandwidth is ~500Mbs, but projected growth is 1Gbs within the year. Thanks, Rick