UDP DoS mitigation?

Roland Dobbins rdobbins at cisco.com
Fri Dec 12 12:24:23 CST 2008


On Dec 13, 2008, at 2:15 AM, Rick Ernst wrote:

> - Are there any platforms that deal with high PPS/small packet more  
> gracefully?

S/RTBH can deal with any type of packet-flooding DDoS at layer-3, up  
to the capacity of the platform in question.  It sounds as if a) you  
should investigate getting DDoS mitigation assistance from your  
upstreams and/or b) moving from your currently software-based platform  
to a hardware-based platform at your edge to provide increased  
performance (this holds true irrespective of which vendor you select  
for your edge platform).

If you move to a hardware-based edge platform, be sure to first  
investigate all the particulars of its uRPF implementation so as to  
ensure that you can use it for S/RTBH, and if at all possible, test it  
before buying.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // +852.9133.2844 mobile

      History is a great teacher, but it also lies with impunity.

                    -- John Robb





More information about the NANOG mailing list