Re: [j-nsp] (d)DoS handling

From: Rob Heath (rheath@c-pro.net)
Date: Fri Apr 06 2001 - 04:02:41 EDT


And so said Jared Mauch:

At 00:10 06/04/2001 -0400, you wrote:
> I think you are talking about the
>"ip verify unicast source reachable-via any"
>
> This drops packets where the src in the header has no return
>path at all. ie: i don't have a route to anything 10/8 in my forwarding
>table. If I get anything with a source out of 10/8, I can drop those
>on the Cisco. (as of today, you can not do this on Engine-2 Linecards).
>
> The ability to do this on ocN interfaces on the Juniper would
>be wonderful, IMHO :) The added ability of the more strict rpf check
>is also useful. This would allow customer based circuits to be filtered.

You can packet filter for RFC1918 source traffic though, I guess the
benefit of doing this would allow you to filter for other traffic too
perhaps your own prefixes. Does anyone have any significant traffic through
such a filter,and would such a filter impact performance on a high
throughput network?

It would be great if you could pull SNMP stats for individual filters too
so that you could see which interface was receiving the traffic. I seem to
remember that you are just able to see the overall figure of filtered
traffic, although this may have changed since I last used any Juniper kit
in anger (4.0R4).

On a side note, do you know of anyone that has taken the Juniper
Certification tests? Are there any figures on how many people have
passed/failed?

rob

Rob Heath
Network Consultant
C-Pro Ltd

Tel: +44 1256 406 500
Mob: +44 7712 005 505
http://www.c-pro.net



This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:42 EDT