[j-nsp] Cisco vs Juniper confused
Michael Gehrmann
mgehrmann at atlassian.com
Thu Apr 14 19:35:36 EDT 2016
Hi Payam,
I agree that if you have a bottleneck then remove it. I don't suggest
firewalls for surviving DDoS and would recommend a router with ACL's which
will have a better survivability due to PPS performance. There will be a
point however where the cost of designing your network to survive will
outweigh the cost of a DDoS Protection Service. When you see attacks of
over 100G this starts to become a costly exercise.
Mike
On 15 April 2016 at 09:02, Payam Chychi <pchychi at gmail.com> wrote:
> Having created ddos mitigation solutions and specialized networks, it's
> not that simple as certain companies can't simply offload data and provide
> their say ssl key to a ddos mitigation provider (simplest port http/https
> proxy solution)... and most companies wont have the proper equipment to
> perform ipsec or gre + bgp offloading nor will the have the funds to pay
> +10k-15k MRC.
>
> So... if you already have a 10gig pipe and the 'current' bottleneck is
> your asa5500 'state' then fix that the best you can while assessing what
> your longer term goals are
>
> try putting in drop ACLs above to deny what you dont need. enable tcp syn
> proxy if you can and setup aggressive age timeout so the table does not max
> out. Install proper monitoring to identify attacks and use the information
> for better drop acls. A decent linux server with latest Iptables which now
> fully supports a new syn proxy can handle almost 2Mil req/second without
> impact to other traffic.
>
> Cisco ASA (any of them) were never meant to be ddos mitigation appliances.
> Replacing the asa with a Juniper SRX will help greatly
> Put a proper ddos appliance in front to filter bad traffic, then use your
> asa for your ips/ids/security which will be fine at lower levels.
>
>
> Thanks,
> Payam
>
>
>
>
> On 2016-04-14, 3:45 PM, Michael Gehrmann wrote:
>
> +1 for for Dave's comment. You can only survive until your upstream is
> congested.
>
> Mike
>
> On 15 April 2016 at 08:05, Dave Bell <me at geordish.org> wrote:
>
>> In my opinion trying to scrub DDoS traffic yourself is a losing battle.
>> Its
>> likely that an attacker can easily fill the ingress points onto your
>> network. If this is the case, then legitimate traffic will be dropped
>> before it even hits you. The damage is already done. The only way around
>> this is bigger links, which can be costly and your not even guaranteed to
>> have links big enough to cope with an attack.
>>
>> You're better off looking at your upstreams to assist you with this. They
>> likely have some form of traffic scrubbing solution that you can employ
>> when under attack. Its likely a lot easier for you to administrate too.
>>
>> Regards,
>> Dave
>>
>> On 14 April 2016 at 22:57, Payam Chychi <pchychi at gmail.com> wrote:
>>
>> > What gear do you currently have? What do your filtering rules look like?
>> > You don't need to buy new gear if your filtering much of the bad
>> traffic at
>> > the edge using simple ACLs
>> >
>> >
>> >
>> > On Apr 14, 2016, 2:39 PM -0700, Dovid Bender<dovid at telecurve.com>,
>> wrote:
>> > > Why not use an external service to scrub your traffic?
>> > >
>> > > Regards,
>> > >
>> > > Dovid
>> > >
>> > > -----Original Message-----
>> > > From: Satish Patel<satish.txt at gmail.com
>> > > Sender: "juniper-nsp"<juniper-nsp-bounces at puck.nether.net>Date: Thu,
>> 14
>> > Apr 2016 17:35:17
>> > > To:<juniper-nsp at puck.nether.net
>> > > Subject: [j-nsp] Cisco vs Juniper confused
>> > >
>> > > This is my first port here, We are small size of company and now we
>> > > are getting harsh by DDoS stuff. We have 10G link in our network
>> > > terminated on L3 Cisco switch and from there other switches.
>> > > Everything was working great but recently we started seeing DDoS more
>> > > and more. They are filling 10G link using NTP, IPFrag etc. attack.
>> > >
>> > > Now we are looking for big gear so we keep bad guys out and scrub
>> > > traffic but confused between Juniper Vs Cisco war.. I am not able to
>> > > decide what to buy and how it will help us. I have following in my
>> > > mind, We thought about ASR firewall too but not sure because it can
>> > > handle DDoS or not.
>> > >
>> > > Need your suggestion what i should buy and why? One more thing we are
>> > > planning to run BGP so we can do null triggering etc.
>> > >
>> > > MX80 vs ASR100X - Does this enough to handle DDoS and filter traffic?
>> > >
>> > > MX240 vs ASR900X
>> > > _______________________________________________
>> > > juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > > https://puck.nether.net/mailman/listinfo/juniper-nsp
>> > > _______________________________________________
>> > > juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > > https://puck.nether.net/mailman/listinfo/juniper-nsp
>> > _______________________________________________
>> > juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>> >
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
>
> --
> Michael Gehrmann
> Senior Network Engineer - Atlassian
> m: +61 407 570 658
>
>
>
--
Michael Gehrmann
Senior Network Engineer - Atlassian
m: +61 407 570 658
More information about the juniper-nsp
mailing list