nanog mailing list archives
Re: UDP DoS mitigation?
From: Roland Dobbins <rdobbins () cisco com>
Date: Sat, 13 Dec 2008 02:24:23 +0800
On Dec 13, 2008, at 2:15 AM, Rick Ernst wrote:
- Are there any platforms that deal with high PPS/small packet more gracefully?
S/RTBH can deal with any type of packet-flooding DDoS at layer-3, up to the capacity of the platform in question. It sounds as if a) you should investigate getting DDoS mitigation assistance from your upstreams and/or b) moving from your currently software-based platform to a hardware-based platform at your edge to provide increased performance (this holds true irrespective of which vendor you select for your edge platform).
If you move to a hardware-based edge platform, be sure to first investigate all the particulars of its uRPF implementation so as to ensure that you can use it for S/RTBH, and if at all possible, test it before buying.
----------------------------------------------------------------------- Roland Dobbins <rdobbins () cisco com> // +852.9133.2844 mobile History is a great teacher, but it also lies with impunity. -- John Robb
Current thread:
- UDP DoS mitigation? Rick Ernst (Dec 12)
- Re: UDP DoS mitigation? Roland Dobbins (Dec 12)
- RE: UDP DoS mitigation? David Kotlerewsky (Dec 12)
- Re: UDP DoS mitigation? Roland Dobbins (Dec 12)
- RE: UDP DoS mitigation? Matthew Huff (Dec 12)
- Re: UDP DoS mitigation? Rick Ernst (Dec 12)
- RE: UDP DoS mitigation? Ian Henderson (Dec 13)
- Re: UDP DoS mitigation? Florian Weimer (Dec 14)