Looking for advice on hardening IOS router configuration to help protect against DoS attacks (not necessarily against the router itself, but a target downstream). We've seen a few  DoS attacks in recent months (UDP flood) that are saturating our upstream links. We have a 3750 stack at the edge of our network with redundant 1Gbps uplinks which is connected to a Fortigate 3040B downstream. The Fortigate has UTM features that detected and blocked the traffic. However, the recent attacks totalled about 2.5Gbps of bandwidth, so while the CPU on both the 3750 stack and Fortigate were fine, the upstream links were satuarated and it caused a network outage. We're upgrading the upstream links to 10Gbps to help compensate, however, I'd like to see what we else can do with QoS to help mitigate these attacks.

Specifically, I'm interested in protecting against UDP flood and TCP SYN attacks. We're a web host, so inbound/outbound HTTP/HTTPS traffic is critical for us. What I would like to do is create a policy that limits the amount of UDP bandwidth available (ie. limit to 500Mbps) and a similar policy that prevents a TCP SYN attack perhaps by limiting the number of SYN packets to our networks. Seems like we might be able to do this with policy-map's and service-policy's on our upstream links:

http://www.sanjta.org/?p=150

I'm not in the market to replace hardware, so I'd like to do what I can with the existing 3750 stack (running IOS 15.0(1)) and I'm not overly concerned with dropping traffic during an attack, I'd rather have some services available than be completely down until the attack subsides. What I'm concerned with is how implementing QoS will affect existing traffic. We typically run between 500-600Mbps throughout the day, so I'm wondering if we'll start process-switching packets if I enable QoS or if we'll impact memory on the 3750 stack, etc.

Any advice or config examples are appreciated (even if it's "you'll do more damage enabling this on the 3750 stack than it will help").