[j-nsp] DDOS and MX-240's

Darius Jahandarie djahandarie at gmail.com
Mon Jan 7 15:41:05 EST 2013


On Mon, Jan 7, 2013 at 2:48 PM, Richard A Steenbergen <ras at e-gerbil.net> wrote:
> On Mon, Jan 07, 2013 at 05:41:06AM +0000, Dobbins, Roland wrote:
>>
>> On Jan 6, 2013, at 11:14 PM, Richard Gross wrote:
>>
>> > I am seeking advise.  If you wanted to block 800K /32's from your inbound pipes, how would you do it?
>>
>> You don't need nor want to do this.  Flowspec and S/RTBH are very
>> useful tools for blocking, as Chris indicated, but nobody needs to
>> block 800K /32s.
>
> http://mailman.nanog.org/pipermail/nanog/2011-January/030051.html
>
> Still has the same issue. Juniper has basically let Flowspec bit-rot
> into complete uselessness since Pedro left.

It really sucks to hear that the performance didn't improve on Trio.
Flowspec is /the/ way to make DoS mitigation possible for companies
not big enough to buy a boatload of edge capacity, it's too bad that
it's not implemented by anyone but Juniper, and Juniper is letting it
rot. (It's also too bad that, AFAIK, nLayer is the only transit
provider that actually offers it to customers.)

I think this is one of the things that the people building on top of
OpenFlow can use to wipe the floor with classical vendors (a good
MPLS-TE implementation being the other thing).

-- 
Darius Jahandarie


More information about the juniper-nsp mailing list