UDP DoS mitigation?

David Kotlerewsky dkotlerewsky at oversee.net
Fri Dec 12 18:27:10 UTC 2008

Couple of things come to mind:

1. Take a packet capture to see some UDP traffic characteristics, based
on which traffic rate-limiting may be configured by your upstream
providers, so that this traffic doesn't saturate your pipes, and maybe
the ISP can even drop it. That is if they're willing to help you.

2. As far as hardware is concerned, we're in the same boat as far as
various UDP/ICMP floods, and our Juniper M10i's handle it with no issues
(running multiple BGP sessions, OSPF, firewall sets/access lists).

David Kotlerewsky,
Sr. Network Engineer
515 S. Flower Street, Suite 4400
Los Angeles, CA 90071
ph 213.408.0080 x1458
cell 310.350.0399
dkotlerewsky at oversee.net
Confidentiality Warning: this email contains information intended for
the use of the individual or entity named above. If the reader of this
e-mail is not the intended recipient or the employee or agent
responsible for delivering it to the intended recipient, any
dissemination, publication or copying of this e-mail is prohibited. The
sender does not accept any responsibility for any loss, disruption or
damage to your data or computer system that may occur while using data
contained in it, or transmitted with this e-mail. If you have received
this e-mail in error, please immediately notify us by return e-mail.
Thank you.

-----Original Message-----
From: Rick Ernst [mailto:ernst at easystreet.com] 
Sent: Friday, December 12, 2008 10:15 AM
To: nanog at nanog.org
Subject: UDP DoS mitigation?

We've had an increasing rate of DoS attacks that spew tens-of-thousands
small UDP packets to a destination on our network.  We are getting
2x our entire normal pps across all providers through one interface, or
about 4x normal through the individual interface.  The Cisco
7206VXR/NPE-G1 CPU melts (>95% load vs 15% average, 20% normal peak)
this hits.

I'm using CEF and ip-route-cache flow on the outside interface.  Unicast
RPF is also enabled on the interface.  Unicast RPF in conjunction with a
BGP black-hole generator handles TCP attacks fairly well.

Two questions:
- Are there any knobs I should be turning in the Cisco config to help
mitigate this?
- Are there any platforms that deal with high PPS/small packet more

We are looking at a network refresh and aren't locked into Cisco as a
vendor (although our current IP network consists entirely of Cisco
Our current aggregate (all providers, in- plus out-bound) bandwidth is
~500Mbs, but projected growth is 1Gbs within the year.


More information about the NANOG mailing list