[109854] in North American Network Operators' Group
Re: UDP DoS mitigation?
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Fri Dec 12 13:24:33 2008
From: Roland Dobbins <rdobbins@cisco.com>
To: nanog@nanog.org
In-Reply-To: <57995.69.30.17.85.1229105716.squirrel@www.woofpaws.com>
Date: Sat, 13 Dec 2008 02:24:23 +0800
Errors-To: nanog-bounces@nanog.org
On Dec 13, 2008, at 2:15 AM, Rick Ernst wrote:
> - Are there any platforms that deal with high PPS/small packet more
> gracefully?
S/RTBH can deal with any type of packet-flooding DDoS at layer-3, up
to the capacity of the platform in question. It sounds as if a) you
should investigate getting DDoS mitigation assistance from your
upstreams and/or b) moving from your currently software-based platform
to a hardware-based platform at your edge to provide increased
performance (this holds true irrespective of which vendor you select
for your edge platform).
If you move to a hardware-based edge platform, be sure to first
investigate all the particulars of its uRPF implementation so as to
ensure that you can use it for S/RTBH, and if at all possible, test it
before buying.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // +852.9133.2844 mobile
History is a great teacher, but it also lies with impunity.
-- John Robb
