[109861] in North American Network Operators' Group
RE: UDP DoS mitigation?
daemon@ATHENA.MIT.EDU (Matthew Huff)
Fri Dec 12 15:04:21 2008
From: Matthew Huff <mhuff@ox.com>
To: "ernst@easystreet.com" <ernst@easystreet.com>, "nanog@nanog.org"
<nanog@nanog.org>
Date: Fri, 12 Dec 2008 15:04:07 -0500
In-Reply-To: <57995.69.30.17.85.1229105716.squirrel@www.woofpaws.com>
Errors-To: nanog-bounces@nanog.org
Although the problem we had wasn't DoS, but rather high packet rates for ma=
rket data, we saw a huge improvement by moving from a 7204VRX to a 7600 pla=
tform. Going from a software switched environment to a hardware one help de=
al with large number of packet drops during peaks of burst activity.
We looked at the ASR1000, but found the price too high. Although cisco does=
n't promote it, the 7604 with the Sup32 engine (WS-SUP32-GE-3B) with 8 x GE=
interfaces is a very cost effective hardware router.
-----Original Message-----
From: Rick Ernst [mailto:ernst@easystreet.com]=20
Sent: Friday, December 12, 2008 1:15 PM
To: nanog@nanog.org
Subject: UDP DoS mitigation?
We've had an increasing rate of DoS attacks that spew tens-of-thousands of
small UDP packets to a destination on our network. We are getting roughly
2x our entire normal pps across all providers through one interface, or
about 4x normal through the individual interface. The Cisco
7206VXR/NPE-G1 CPU melts (>95% load vs 15% average, 20% normal peak) when
this hits.
I'm using CEF and ip-route-cache flow on the outside interface. Unicast
RPF is also enabled on the interface. Unicast RPF in conjunction with a
BGP black-hole generator handles TCP attacks fairly well.
Two questions:
- Are there any knobs I should be turning in the Cisco config to help with
mitigate this?
- Are there any platforms that deal with high PPS/small packet more
gracefully?
We are looking at a network refresh and aren't locked into Cisco as a
vendor (although our current IP network consists entirely of Cisco gear).=20
Our current aggregate (all providers, in- plus out-bound) bandwidth is
~500Mbs, but projected growth is 1Gbs within the year.
Thanks,
Rick
