[j-nsp] Cisco vs Juniper confused

[Satish Patel]

Thanks Roland,

Your link has tons of material, after reading all wonderful comments
from all you guys look like Router + BGP + ACL will be good solution
as someone mentioned Stateful firewall has own limitation and it can't
scale. Routers work at HW layer so it will provide more PPS and faster
performance when we will be under water.

We are currently using Suricata IDS to detect DDoS which is really
great Opensource software.

On Thu, Apr 14, 2016 at 8:07 PM, Roland Dobbins <rdobbins at arbor.net> wrote:
> On 15 Apr 2016, at 4:35, Satish Patel wrote:
>
>> We thought about ASR firewall too but not sure because it can
>> handle DDoS or not.
>
>
> Stateful firewalls aren't good at dealing with DDoS attacks - they go down
> more quickly that 'naked' hosts due to state-table exhaustion (link to .pdf
> preso):
>
> <https://app.box.com/s/a3oqqlgwe15j8svojvzl>
>
> S/RTBH, flowspec, and possibly intelligent DDoS mitigation systems (IDMSes)
> are tools you can utilize to deal with DDoS attacks.
>
> [Full disclosure:  I work for a vendor of such systems.]
>
> You also need to ensure that you implement BCPs like iACLs in order to
> ensure that your network infrastructure devices themselves are protected
> against DDoS attacks.
>
> This is an older post on NANOG, but it still has relevance, IMHO:
>
> <http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html>
>
> Again, be sure to include flowspec (supported on Juniper platforms for a
> long time, now finally supported on some Cisco platforms) in your toolkit.
>
> There are other .pdf presos related to DDoS defense which may be of interest
> here:
>
> <https://app.box.com/s/4h2l6f4m8is6jnwk28cg>
>
> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp