[j-nsp] Cisco vs Juniper confused
Aaron
aaron1 at gvtc.com
Fri Apr 15 16:34:58 EDT 2016
Ah, understood about 900x... thanks
Yes for my RTBH I have a mixture of ebgp with my ISP and ibgp to my own boundaries... here's why... it's because one ISP allows direct ebgp, and the other ISP allows my to send a special community tag on /32's over my existing internet peering point with them (ebgp)
- ISP1 RTBH solution is ebgp with them. So I stood up a separate router (2600) in my network and I simply ebgp m-hop with their rtbh null router
- ISP2 RTBH solution is, I must send them /32's over my existing ebgp boundary connection with specific RTBH community attributes.... so I simply do ibgp from that same 2600 and tag those host routes with the community attribute that ISP2 requires. /32's advertisement goes from 2600 to my boundary nodes and then flows over my internet ebgp peering to ISP2...
P.S. I just remembered that I only do this RTBH architecture with 2 of my ISP's... not 3
P.S.S. I recall reading a lot of documents on this when I first set it up. I recall there was plenty online about RTBH setup. Not very complicated but has proven to be very affective. I think most security folks will tell you defense-in-depth is the way to go... various levels of security for various things... acls for hard denies... rtbh for specific purposed of momentarily bh'ing... QoS as a mitigation strategy for attacks... like I use policers for certain traffic levels that are often times abused as attack vectors...
Hope that helps Satish
Aaron
-----Original Message-----
From: Satish Patel [mailto:satish.txt at gmail.com]
Sent: Friday, April 15, 2016 1:33 PM
To: Aaron <aaron1 at gvtc.com>
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Cisco vs Juniper confused
Aaron,
ASR900X (X is just variable so whatever like 6, 1 etc..)
I have question related your BGP setup, How you triggering BGP RTBH with 2600 router? Do you have BGP peering from your device to your ISP? I believe without BGP peering you can't do RTBH.
Currently we have /24 subnet and its plain network using default route (without BGP). We talked to our ISP relate setup RTBH triggering so they said you need to buy big router and run eBGP with us with your own ASN, I told them is there a way we can just setup simple device to just trigger RTBH without buying big router and setup BGP etc..
I want to understand how you did that?
On Fri, Apr 15, 2016 at 12:05 PM, Aaron <aaron1 at gvtc.com> wrote:
> When I have ddos attacks that are sustained and HUGE, then I use my
> RTBF trigger router to launch a bgp /32 route to my (3) upstream
> providers, BANG, attack stopped, immediately.
>
> My rtbh trigger router is a $50 cisco 2600 that simply injects a /32
> route advertisement to my (3) upstream providers.... they then null
> route it and then that attack no longer shows up on my front door.... it's very nice.
> And free. My trigger 2600 was a spare router that was in my lab. My
> providers don't charge for this, it's just a service they provide.
>
> Also I've heard of Team Cymru's UTRS... I might convert my sp-specific
> /32 or community tagging to this more open/standard non-sp-specific way later...
> http://www.team-cymru.org/UTRS/
>
> Also, for other attacks, I have crafted a set of policers on my
> asr9k's facing the internet that limit how much dns, ntp, whatever,
> can enter my network. This is nice as I don't allow 5 gbps of DNS reflexive attack !!
> ....only say for instance 25 mbps of dns...something that makes sense.
>
> Aaron
>
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On
> Behalf Of Satish Patel
> Sent: Thursday, April 14, 2016 4:35 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Cisco vs Juniper confused
>
> This is my first port here, We are small size of company and now we
> are getting harsh by DDoS stuff. We have 10G link in our network
> terminated on
> L3 Cisco switch and from there other switches.
> Everything was working great but recently we started seeing DDoS more
> and more. They are filling 10G link using NTP, IPFrag etc. attack.
>
> Now we are looking for big gear so we keep bad guys out and scrub
> traffic but confused between Juniper Vs Cisco war.. I am not able to
> decide what to buy and how it will help us. I have following in my
> mind, We thought about ASR firewall too but not sure because it can handle DDoS or not.
>
> Need your suggestion what i should buy and why? One more thing we are
> planning to run BGP so we can do null triggering etc.
>
> MX80 vs ASR100X - Does this enough to handle DDoS and filter traffic?
>
> MX240 vs ASR900X
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list