[j-nsp] DDOS and MX-240's
Bjørn Tore
bt at paulen.net
Mon Jan 7 02:16:51 EST 2013
OK - with 'inbound' I thought you meant from the Internet.
bt at ipad
Den 7. jan. 2013 kl. 08:05 skrev joel jaeggli <joelja at bogus.com>:
> On 1/6/13 10:51 PM, Bjørn Tore wrote:
>> Why would you accept any /32s in the first place?
> From myself? I accept all sorts of prefix lengths internally that I would never accept from the internet.
>
> I accept quite a few pretty long prefixes from my arbor TMS for example, more in the context of RTBH e.g. RFC 5635 and so on.
>>
>> Bjørn Tore @ mobil
>>
>> Den 7. jan. 2013 kl. 06:22 skrev Joel jaeggli <joelja at bogus.com>:
>>
>>> On 1/6/13 20:14 , Richard Gross wrote:
>>>> Dear List,
>>>>
>>>> I am seeking advise. If you wanted to block 800K /32's from your inbound
>>>> pipes, how would you do it?
>>>>
>>>> Would you null route? Put up multiple stanza firewall filters? Which
>>>> way has the least amount of hit on router resources?
>>> so I'd have a discard route, and I'd inject the prefixes from another
>>> box probably quagga with a nexthop of the discard route. I'd expect an
>>> re2000 to injest those routes in about 2 minutes
>>>
>>> I probably wouldn't use flowspec for this at this point.
>>>
>>>> If you would prefer to reply off-list, that would be super.
>>>>
>>>> richg
>>>> _______________________________________________
>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list