[j-nsp] Cisco vs Juniper confused
Roland Dobbins
rdobbins at arbor.net
Thu Apr 14 20:07:04 EDT 2016
On 15 Apr 2016, at 4:35, Satish Patel wrote:
> We thought about ASR firewall too but not sure because it can
> handle DDoS or not.
Stateful firewalls aren't good at dealing with DDoS attacks - they go
down more quickly that 'naked' hosts due to state-table exhaustion (link
to .pdf preso):
<https://app.box.com/s/a3oqqlgwe15j8svojvzl>
S/RTBH, flowspec, and possibly intelligent DDoS mitigation systems
(IDMSes) are tools you can utilize to deal with DDoS attacks.
[Full disclosure: I work for a vendor of such systems.]
You also need to ensure that you implement BCPs like iACLs in order to
ensure that your network infrastructure devices themselves are protected
against DDoS attacks.
This is an older post on NANOG, but it still has relevance, IMHO:
<http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html>
Again, be sure to include flowspec (supported on Juniper platforms for a
long time, now finally supported on some Cisco platforms) in your
toolkit.
There are other .pdf presos related to DDoS defense which may be of
interest here:
<https://app.box.com/s/4h2l6f4m8is6jnwk28cg>
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the juniper-nsp
mailing list