[j-nsp] DDoS filters
Pedro Roque Marques
roque at juniper.net
Mon Mar 29 15:02:53 EST 2004
jf at probe-networks.de (Jonas Frey Probe Networks) writes:
> Hi all,
>
> i am looking for a way to filter DDoS targeted at customers. Something
> like to set a policy to not accept (drop) anymore connections (syns and
> maybe icmp traffic) to a specific ip/netblock if a limit is exceeded.
> This of course will break new (tcp) connections but the old ones should
> remain active which is pretty important.
>
> Regarding a udp DDoS attack i am not sure what could be done to limit
> the impact of this.
>
> Does anyone here have any filters like this in place or deals with alot
> of DDoS attacks daily and has some technique and knowledge he wants to
> share (maybe off-list)?
>
I would recomend using DCU in conjunction w/ policers in order to
achieve this.
DCU allows you to tag via policy a given set of routes w/ a
'class'. that class can then be used to sample/rate limit and trigger
any firewall rules.
More information about the juniper-nsp
mailing list