[j-nsp] Whats the best way to announce an IP range in BGP? Doesn't physically exist anywhere.

[Morgan Mclean]

This is exactly what happened. The session table filled up. One of our security guys took down our edge 650 cluster from a single unix box out on the net.

Sent from my iPhone

On Jun 22, 2012, at 4:39 AM, "Scott T. Cameron" <routehero at gmail.com> wrote:

> On Wed, Jun 20, 2012 at 10:14 PM, Morgan McLean <wrx230 at gmail.com> wrote:
> 
>> I have a /24 I want to announce, but I don't actually have it anywhere on
>> the network. I NAT some of its IP's on the SRX that has the BGP session
>> with our providers.
>> 
>> I've been using static routes with the discard flag, but I don't really
>> like the way the SRX handles traffic. It still creates sessions for traffic
>> destined to IP's not used anywhere (hitting the static route) and can be
>> easily dos'd because of this.
>> 
>> Is there a better way to just tell our providers hey, we have this range?
>> 
>> 
> It sounds like you're using the SRX as an edge router with a BGP session
> upstream?
> 
> I don't have this architecture here, but I had the same problem.  I had my
> edge router announce the /24 to the BGP upstreams, and my SRX announce the
> /24 via OSPF to the MX.
> 
> Unfortunately, one of my IPs was hammered, and filled up the session table
> with invalid sessions.  That's the real issue, at least in my case, was
> that even invalid sessions were taking a session, and prohibiting
> legitimate traffic from flowing.
> 
> The solution was only to announce from SRX to MX (edge router) the /32s
> that were actually in use.
> 
> I suppose that a firewall filter may help on your ingress ports to only
> permit the traffic to the /32s that are actually in use, but I can't say
> from experience if this will happen before a session is created, even in
> invalid state.
> 
> Scott
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp