UDP DoS mitigation?

Fri Dec 12 20:04:07 UTC 2008

Although the problem we had wasn't DoS, but rather high packet rates for market data, we saw a huge improvement by moving from a 7204VRX to a 7600 platform. Going from a software switched environment to a hardware one help deal with large number of packet drops during peaks of burst activity.

We looked at the ASR1000, but found the price too high. Although cisco doesn't promote it, the 7604 with the Sup32 engine (WS-SUP32-GE-3B) with 8 x GE interfaces is a very cost effective hardware router.

-----Original Message-----
From: Rick Ernst [mailto:ernst at easystreet.com] 
Sent: Friday, December 12, 2008 1:15 PM
To: nanog at nanog.org
Subject: UDP DoS mitigation?

We've had an increasing rate of DoS attacks that spew tens-of-thousands of
small UDP packets to a destination on our network.  We are getting roughly
2x our entire normal pps across all providers through one interface, or
about 4x normal through the individual interface.  The Cisco
7206VXR/NPE-G1 CPU melts (>95% load vs 15% average, 20% normal peak) when
this hits.

I'm using CEF and ip-route-cache flow on the outside interface.  Unicast
RPF is also enabled on the interface.  Unicast RPF in conjunction with a
BGP black-hole generator handles TCP attacks fairly well.

Two questions:
- Are there any knobs I should be turning in the Cisco config to help with
mitigate this?
- Are there any platforms that deal with high PPS/small packet more
gracefully?

We are looking at a network refresh and aren't locked into Cisco as a
vendor (although our current IP network consists entirely of Cisco gear). 
Our current aggregate (all providers, in- plus out-bound) bandwidth is
~500Mbs, but projected growth is 1Gbs within the year.

Thanks,
Rick