[j-nsp] MX480 RE-S-2000 IGMP flood
Saku Ytti
saku at ytti.fi
Fri Jan 31 13:45:28 EST 2014
On (2014-01-31 17:51 +0200), Mark Tinka wrote:
> > traceroute.
>
> I open up and limit Traceroute to udp/33434-33523. Haven't
> had any issues thus far.
33434-33534 here, also no complains from customers.
And I fully agree BCP is to allow what you must, drop rest.
Things which you can police safely to <4Mbps use lo0+policer, things which you
cannot police safely use ddos-protectoin.
Configure ddos-protection with very small values.
Majority of my ddos are 100pps, with few stuff at 4kpps. Keep in mind that
good and bad share same ddos policer so don't make the cure worse than the
poison, flow-based ddos policers will likely be cure, but I've not tested them
yet.
Your ddos config will be very long, as you at least need to configure all non
IP policers (IP you can cover in lo0) and there is no way to say 'default 0pps
or 100pps' and only specifically configure those you want to allow for more.
'apply-flags omit' is your friend for standard configuration.
It's shame FW filters in Trio are still restricted to specific domain, there
is no HW reason why Lo0 filter couldn't protect you from non-IP attacks, using
L2 etype, dmac, smac as keys.
--
++ytti
More information about the juniper-nsp
mailing list