[j-nsp] Cisco vs Juniper confused

Payam Chychi pchychi at gmail.com
Thu Apr 14 19:02:49 EDT 2016 

Having created ddos mitigation solutions and specialized networks, it's 
not that simple as certain companies can't simply offload data and 
provide their say ssl key to a ddos mitigation provider (simplest port 
http/https proxy solution)... and most companies wont have the proper 
equipment to perform ipsec or gre + bgp offloading nor will the have the 
funds to pay +10k-15k MRC.

So... if you already have a 10gig pipe and the 'current' bottleneck is 
your asa5500 'state' then fix that the best you can while assessing what 
your longer term goals are

try putting in drop ACLs above to deny what you dont need. enable tcp 
syn proxy if you can and setup aggressive age timeout so the table does 
not max out. Install proper monitoring to identify attacks and use the 
information for better drop acls. A decent linux server with latest 
Iptables which now fully supports a new syn proxy can handle almost 2Mil 
req/second without impact to other traffic.

Cisco ASA (any of them) were never meant to be ddos mitigation 
appliances. Replacing the asa with a Juniper SRX will help greatly
Put a proper ddos appliance in front to filter bad traffic, then use 
your asa for your ips/ids/security which will be fine at lower levels.


Thanks,
Payam



On 2016-04-14, 3:45 PM, Michael Gehrmann wrote:
> +1 for for Dave's comment. You can only survive until your upstream is 
> congested.
>
> Mike
>
> On 15 April 2016 at 08:05, Dave Bell <me at geordish.org 
> <mailto:me at geordish.org>> wrote:
>
>     In my opinion trying to scrub DDoS traffic yourself is a losing
>     battle. Its
>     likely that an attacker can easily fill the ingress points onto your
>     network. If this is the case, then legitimate traffic will be dropped
>     before it even hits you. The damage is already done. The only way
>     around
>     this is bigger links, which can be costly and your not even
>     guaranteed to
>     have links big enough to cope with an attack.
>
>     You're better off looking at your upstreams to assist you with
>     this. They
>     likely have some form of traffic scrubbing solution that you can
>     employ
>     when under attack. Its likely a lot easier for you to administrate
>     too.
>
>     Regards,
>     Dave
>
>     On 14 April 2016 at 22:57, Payam Chychi <pchychi at gmail.com
>     <mailto:pchychi at gmail.com>> wrote:
>
>     > What gear do you currently have? What do your filtering rules
>     look like?
>     > You don't need to buy new gear if your filtering much of the bad
>     traffic at
>     > the edge using simple ACLs
>     >
>     >
>     >
>     > On Apr 14, 2016, 2:39 PM -0700, Dovid Bender<dovid at telecurve.com
>     <mailto:dovid at telecurve.com>>, wrote:
>     > > Why not use an external service to scrub your traffic?
>     > >
>     > > Regards,
>     > >
>     > > Dovid
>     > >
>     > > -----Original Message-----
>     > > From: Satish Patel<satish.txt at gmail.com
>     <mailto:satish.txt at gmail.com>
>     > > Sender: "juniper-nsp"<juniper-nsp-bounces at puck.nether.net
>     <mailto:juniper-nsp-bounces at puck.nether.net>>Date: Thu, 14
>     > Apr 2016 17:35:17
>     > > To:<juniper-nsp at puck.nether.net
>     <mailto:juniper-nsp at puck.nether.net>
>     > > Subject: [j-nsp] Cisco vs Juniper confused
>     > >
>     > > This is my first port here, We are small size of company and
>     now we
>     > > are getting harsh by DDoS stuff. We have 10G link in our network
>     > > terminated on L3 Cisco switch and from there other switches.
>     > > Everything was working great but recently we started seeing
>     DDoS more
>     > > and more. They are filling 10G link using NTP, IPFrag etc. attack.
>     > >
>     > > Now we are looking for big gear so we keep bad guys out and scrub
>     > > traffic but confused between Juniper Vs Cisco war.. I am not
>     able to
>     > > decide what to buy and how it will help us. I have following in my
>     > > mind, We thought about ASR firewall too but not sure because
>     it can
>     > > handle DDoS or not.
>     > >
>     > > Need your suggestion what i should buy and why? One more thing
>     we are
>     > > planning to run BGP so we can do null triggering etc.
>     > >
>     > > MX80 vs ASR100X - Does this enough to handle DDoS and filter
>     traffic?
>     > >
>     > > MX240 vs ASR900X
>     > > _______________________________________________
>     > > juniper-nsp mailing list juniper-nsp at puck.nether.net
>     <mailto:juniper-nsp at puck.nether.net>
>     > > https://puck.nether.net/mailman/listinfo/juniper-nsp
>     > > _______________________________________________
>     > > juniper-nsp mailing list juniper-nsp at puck.nether.net
>     <mailto:juniper-nsp at puck.nether.net>
>     > > https://puck.nether.net/mailman/listinfo/juniper-nsp
>     > _______________________________________________
>     > juniper-nsp mailing list juniper-nsp at puck.nether.net
>     <mailto:juniper-nsp at puck.nether.net>
>     > https://puck.nether.net/mailman/listinfo/juniper-nsp
>     >
>     _______________________________________________
>     juniper-nsp mailing list juniper-nsp at puck.nether.net
>     <mailto:juniper-nsp at puck.nether.net>
>     https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
>
> -- 
> Michael Gehrmann
> Senior Network Engineer - Atlassian
> m: +61 407 570 658

More information about the juniper-nsp mailing list