[j-nsp] Juiper denial of service attacks...

sthaug at nethelp.no sthaug at nethelp.no
Sat Jan 10 07:26:49 EST 2004


> In general I've seen Junipers handle high PPS volumes much better than
> Cisco gear. In fact, I've recently experienced an issue with a C6509+MSFC2
> where it couldn't handle a 120Kpps DOS attack. I would expect those
> problems from a 7500, so I can't really think cisco's 7600 platform is
> that much more spectacular.

It all depends on how you configure the 6500/7600 (it's the same box,
really). It does packet filtering and policing in hardware, but traffic
to the interface addresses on the box get handled by the MSFC2. So you
need to limit/block (as appropriate) traffic to the interface addresses,
this is *not* done automatically.

At my previous employer we saw DoS attacks of much more than 120 kpps
fairly regularly, and the 6509s handled it with no sweat.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no


More information about the juniper-nsp mailing list