[j-nsp] Cisco vs Juniper confused

"Rolf Hanßen" nsp at rhanssen.de
Sat Apr 16 09:05:05 EDT 2016 

Hi,

just an idea for networks with small budget that do not want to blackhole
the destination but also do not want attack traffic to enter their
network:

Rent 1 additional ports from each upstream provider and convince the
upstream provider to accept /32 routes without exporting them (I know not
all will do this, this may be the hardest part of the whole szenario).
Connect all those ports to a single Layer3 switch like a EX4550 or even
smaller.

Connect some cheap mitigation solution like Wanguard to it (don't know if
similar software exists from other vendors).
In attack case, let it send a /32 route with nexthop of the "scrubbing
center" (scrubbing server or in case of multiple servers the EX that does
ECMP to the servers).
Connect the "scrubbing center" to your regular network with some very
small rate (something below usual customer connection bandwidth).

Even if the setup is unable to filter out the bad traffic this could
remove the bottleneck between your upstream provider and your network for
much less than what anti-ddos providers request.

We use a similar setup inside our network (hanging between core and
customer access layer, not between upstream and own equipment).
In case of Wanguard detection spead is great (if you use a mirror-port +
sniffer instead of flows), but filtering result is poor for everything
more complex than a dns/ntp reflection (but that usually is the daily
stuff).

kind regards
Rolf

> Our ISP doesn't provide S/RTBH , also in DDoS S/RTBH not handy.
>
> --
> Sent from my iPhone
>
>> On Apr 15, 2016, at 5:41 PM, Roland Dobbins <rdobbins at arbor.net> wrote:
>>
>>> On 16 Apr 2016, at 3:51, Payam Chychi wrote:
>>>
>>> its all a very basic concept
>>
>> Concur 100%.
>>
>> And don't concentrate solely on D/RTBH, which completes the attack for
>> the attacker - look at S/RTBH and flowspec, too.
>>
>> -----------------------------------
>> Roland Dobbins <rdobbins at arbor.net>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list