[j-nsp] Modern BGP peering border router and DDoS recommendations
Justin M. Streiner
streiner at cluebyfour.org
Fri Jun 10 15:30:21 EDT 2005
On Fri, 10 Jun 2005, Sam Crooks wrote:
> I'm trying to get a handle on the Juniper platform needed to withstand a
> 1) small
> 2) medium
> 3) large-scale (NxGbps rate)
> DDoS attack
Most of the M-series routers stand up very well against even a large attack
because of the hardware-based packet forwarding. I believe the J-series
routers do at least some software-based forwarding, but I don't have any
direct experience with them or their ability to handle attacks without
> What Juniper router would be comparable to:
> Cisco 7200?
These are my personal opinions - I speak for no one else.
J6300, M7i, M10i
> Cisco 7304?
Same as the 7200.
> Cisco 7600?
I'd say M20/M40e/M320, based on port density.
> And are there any serious issues with the lower end of the Juniper line
> I should no about?
> (for example, something like: "You can't take full routes from your BGP
> peers without at least M7/M10/M20 etc... and X level of memory")
M7i/M10i can handle full BGP routes. To be safe you probably want to put
512 or 768 MB of RAM on the routing engine.
> I'm shopping for these as border routers to an end-user AS, with fairly
> low (fractional DS-3) bandwidth requirements for the application...
> additional access port speed would be primarily for assisting with
> mitigating DDoS attacks.
More information about the juniper-nsp