[109892] in North American Network Operators' Group
Re: UDP DoS mitigation?
daemon@ATHENA.MIT.EDU (Florian Weimer)
Sun Dec 14 07:55:44 2008
From: Florian Weimer <fw@deneb.enyo.de>
To: ernst@easystreet.com
Date: Sun, 14 Dec 2008 13:52:17 +0100
In-Reply-To: <57995.69.30.17.85.1229105716.squirrel@www.woofpaws.com> (Rick
Ernst's message of "Fri, 12 Dec 2008 10:15:16 -0800 (PST)")
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
* Rick Ernst:
> We've had an increasing rate of DoS attacks that spew tens-of-thousands of
> small UDP packets to a destination on our network. We are getting roughly
> 2x our entire normal pps across all providers through one interface, or
> about 4x normal through the individual interface. The Cisco
> 7206VXR/NPE-G1 CPU melts (>95% load vs 15% average, 20% normal peak) when
> this hits.
>
> I'm using CEF and ip-route-cache flow on the outside interface.
Is the UDP stream a single flow, or does it consist of lots of
different flows?
