[j-nsp] Cisco vs Juniper confused

Roland Dobbins rdobbins at arbor.net
Thu Apr 14 20:07:04 EDT 2016


On 15 Apr 2016, at 4:35, Satish Patel wrote:

> We thought about ASR firewall too but not sure because it can
> handle DDoS or not.

Stateful firewalls aren't good at dealing with DDoS attacks - they go 
down more quickly that 'naked' hosts due to state-table exhaustion (link 
to .pdf preso):

<https://app.box.com/s/a3oqqlgwe15j8svojvzl>

S/RTBH, flowspec, and possibly intelligent DDoS mitigation systems 
(IDMSes) are tools you can utilize to deal with DDoS attacks.

[Full disclosure:  I work for a vendor of such systems.]

You also need to ensure that you implement BCPs like iACLs in order to 
ensure that your network infrastructure devices themselves are protected 
against DDoS attacks.

This is an older post on NANOG, but it still has relevance, IMHO:

<http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html>

Again, be sure to include flowspec (supported on Juniper platforms for a 
long time, now finally supported on some Cisco platforms) in your 
toolkit.

There are other .pdf presos related to DDoS defense which may be of 
interest here:

<https://app.box.com/s/4h2l6f4m8is6jnwk28cg>

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>


More information about the juniper-nsp mailing list