[j-nsp] DDOS and MX-240's

joel jaeggli joelja at bogus.com
Mon Jan 7 02:05:10 EST 2013


On 1/6/13 10:51 PM, Bjørn Tore wrote:
> Why would you accept any /32s in the first place?
 From myself? I accept all sorts of prefix lengths internally that I 
would never accept from the internet.

I accept quite  a few pretty long prefixes from my arbor TMS for 
example, more in the context of RTBH e.g. RFC 5635 and so on.
>
> Bjørn Tore @ mobil
>
> Den 7. jan. 2013 kl. 06:22 skrev Joel jaeggli <joelja at bogus.com>:
>
>> On 1/6/13 20:14 , Richard Gross wrote:
>>> Dear List,
>>>
>>> I am seeking advise.  If you wanted to block 800K /32's from your inbound
>>> pipes, how would you do it?
>>>
>>> Would you null route?   Put up multiple stanza firewall filters?   Which
>>> way has the least amount of hit on router resources?
>> so I'd have a discard route, and I'd inject the prefixes from another
>> box probably quagga with a nexthop of the discard route. I'd expect an
>> re2000 to injest those routes in about 2 minutes
>>
>> I probably wouldn't use flowspec for this at this point.
>>
>>> If you would prefer to reply off-list, that would be super.
>>>
>>> richg
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list