[j-nsp] Cisco vs Juniper confused

Payam Chychi pchychi at gmail.com
Fri Apr 15 16:51:26 EDT 2016


All you need is a BGP session with your provider.

you discuss and agree to a predetermined set of bgp strings to assign to 
the route. the route then gets advertized to your provider say and due 
to the community attached, the route will auto-update its next-hop to 
192.168.0.1 (or whatever ip they have setup... simple terms, null0), 
discarding all traffic destined to x.x.x.x/32 address.

Note that this is not real ddos mitigation as in reality you help the 
attacker in taking down the victim ip however, you save the rest of your 
network from becoming a victim as well.

you can run Linux with Quagga, or a cisco 7200 vxr

its all a very basic concept


On 2016-04-15, 11:32 AM, Satish Patel wrote:
> Aaron,
>
> ASR900X  (X is just variable so whatever like 6, 1 etc..)
>
> I have question related your BGP setup, How you triggering BGP RTBH
> with 2600 router? Do you have BGP peering from your device to your
> ISP?  I believe without BGP peering you can't do RTBH.
>
> Currently we have /24 subnet and its plain network using default route
> (without BGP). We talked to our ISP relate setup RTBH triggering so
> they said you need to buy big router and run eBGP with us with your
> own ASN, I told them is there a way we can just setup simple device to
> just trigger RTBH without buying big router and setup BGP etc..
>
> I want to understand how you did that?
>
> On Fri, Apr 15, 2016 at 12:05 PM, Aaron <aaron1 at gvtc.com> wrote:
>> When I have ddos attacks that are sustained and HUGE, then I use my RTBF
>> trigger router to launch a bgp /32 route to my (3) upstream providers, BANG,
>> attack stopped, immediately.
>>
>> My rtbh trigger router is a $50 cisco 2600 that simply injects a /32 route
>> advertisement to my (3) upstream providers.... they then null route it and
>> then that attack no longer shows up on my front door.... it's very nice.
>> And free.  My trigger 2600 was a spare router that was in my lab.  My
>> providers don't charge for this, it's just a service they provide.
>>
>> Also I've heard of Team Cymru's UTRS... I might convert my sp-specific /32
>> or community tagging to this more open/standard non-sp-specific way later...
>> http://www.team-cymru.org/UTRS/
>>
>> Also, for other attacks, I have crafted a set of policers on my asr9k's
>> facing the internet that limit how much dns, ntp, whatever, can enter my
>> network.  This is nice as I don't allow 5 gbps of DNS reflexive attack !!
>> ....only say for instance 25 mbps of dns...something that makes sense.
>>
>> Aaron
>>
>> -----Original Message-----
>> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
>> Satish Patel
>> Sent: Thursday, April 14, 2016 4:35 PM
>> To: juniper-nsp at puck.nether.net
>> Subject: [j-nsp] Cisco vs Juniper confused
>>
>> This is my first port here, We are small size of company and now we are
>> getting harsh by DDoS stuff. We have 10G link in our network terminated on
>> L3 Cisco switch and from there other switches.
>> Everything was working great but recently we started seeing DDoS more and
>> more. They are filling 10G link using NTP, IPFrag etc. attack.
>>
>> Now we are looking for big gear so we keep bad guys out and scrub traffic
>> but confused between Juniper Vs Cisco war.. I am not able to decide what to
>> buy and how it will help us. I have following in my mind, We thought about
>> ASR firewall too but not sure because it can handle DDoS or not.
>>
>> Need your suggestion what i should buy and why? One more thing we are
>> planning to run BGP so we can do null triggering etc.
>>
>> MX80 vs ASR100X   - Does this enough to handle DDoS and filter traffic?
>>
>> MX240 vs ASR900X
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list