On Wed, 18 Dec 2013 15:12:28 -0800 "cb.list6" <cb.list6@gmail.com> wrote:
I am strongly considering having my upstreams to simply rate limit ipv4 UDP. It is the simplest solution that is proactive.
I understand your willingness to do this, but I'd strongly advise you to rethink such a strategy. At its simplest implementation, as soon as you do this any UDP flood of that size will then starve important UDP traffic. Yes DNS is probably the most important, but NTP is another one important one you may inadvertently harm.
The facts are that during steady state less than 5% of my aggregate traffic is ipv4 udp.
I had found this to be generally true years back when I was doing ops at an edu and had in fact put UDP (and other IP protocol) rate limits at the ingress edge, host facing interfaces. This actually worked pretty well, at least after I also remove the aggregate UDP rate limit in the middle of the network that led to the public Internet. So for instance, a Slammer/Sapphire worm infection was severely limited and contained to impact only a small portion of the infrastructure, meanwhile we could immediately spot the problem when the rate limit alarms were triggered. The problem with your proposal is that it complete the job for your entire network. Now perhaps if you excluded, or provided a separate limit for what you know to be important UDP flows, then the idea may be more palatable to everyday operations. John