[j-nsp] anti DDoS in trio MX'es ?
Saku Ytti
saku at ytti.fi
Tue Aug 9 12:23:38 EDT 2011
On (2011-08-09 15:11 +0200), bas wrote:
Hey,
> I don't see where this has any benefit over a properly configured re
> input filter.
I agree with this. I was VERY concerned upon seeing this feature, in what order
it is processed, as DDOS policers can't differntiate good and bad traffic.
Luckily lo0 is evaluated first, so what DDOS policers do or don't do isn't much
of relevance to anyone with semi-sane lo0 filter.
I also noticed that after passing DDOS policer there seems to be another 10kpps
policer before reaching RE. Which is problematic, as some default values in
DDOS policer allow 20kpps.
I'd really love this pps policing functionality would be exposed to firewall
policers, as it is much more useful in lo0 policers than bps policing.
> Anyone on this list understand how this feature can be used in any
> sensible way against "real" internet DDoS attacks?
In my opnion it is just poor-mans lo0 filter.
Some things I found, while trying to figure out where the DDOS filter is done:
http://ip.fi/punt.txt
--
++ytti
More information about the juniper-nsp
mailing list