[j-nsp] DDOS and MX-240's

Eric Cables ecables at gmail.com
Mon Jan 7 23:10:45 EST 2013


It's interesting that Flowspec was one of the presentations at the Bay Area
Juniper User's Group in October, and heavily used by CloudFlare.

http://www.slideshare.net/junipernetworks/flowspec-bay-area-juniper-user-group-bajug

-- Eric Cables


On Mon, Jan 7, 2013 at 12:41 PM, Darius Jahandarie <djahandarie at gmail.com>wrote:

> On Mon, Jan 7, 2013 at 2:48 PM, Richard A Steenbergen <ras at e-gerbil.net>
> wrote:
> > On Mon, Jan 07, 2013 at 05:41:06AM +0000, Dobbins, Roland wrote:
> >>
> >> On Jan 6, 2013, at 11:14 PM, Richard Gross wrote:
> >>
> >> > I am seeking advise.  If you wanted to block 800K /32's from your
> inbound pipes, how would you do it?
> >>
> >> You don't need nor want to do this.  Flowspec and S/RTBH are very
> >> useful tools for blocking, as Chris indicated, but nobody needs to
> >> block 800K /32s.
> >
> > http://mailman.nanog.org/pipermail/nanog/2011-January/030051.html
> >
> > Still has the same issue. Juniper has basically let Flowspec bit-rot
> > into complete uselessness since Pedro left.
>
> It really sucks to hear that the performance didn't improve on Trio.
> Flowspec is /the/ way to make DoS mitigation possible for companies
> not big enough to buy a boatload of edge capacity, it's too bad that
> it's not implemented by anyone but Juniper, and Juniper is letting it
> rot. (It's also too bad that, AFAIK, nLayer is the only transit
> provider that actually offers it to customers.)
>
> I think this is one of the things that the people building on top of
> OpenFlow can use to wipe the floor with classical vendors (a good
> MPLS-TE implementation being the other thing).
>
> --
> Darius Jahandarie
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list