[j-nsp] DDOS and MX-240's

Bjørn Tore bt at paulen.net
Mon Jan 7 01:51:12 EST 2013


Why would you accept any /32s in the first place?

Bjørn Tore @ mobil

Den 7. jan. 2013 kl. 06:22 skrev Joel jaeggli <joelja at bogus.com>:

> On 1/6/13 20:14 , Richard Gross wrote:
>> Dear List,
>> 
>> I am seeking advise.  If you wanted to block 800K /32's from your inbound
>> pipes, how would you do it?
>> 
>> Would you null route?   Put up multiple stanza firewall filters?   Which
>> way has the least amount of hit on router resources?
> 
> so I'd have a discard route, and I'd inject the prefixes from another
> box probably quagga with a nexthop of the discard route. I'd expect an
> re2000 to injest those routes in about 2 minutes
> 
> I probably wouldn't use flowspec for this at this point.
> 
>> If you would prefer to reply off-list, that would be super.
>> 
>> richg
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list