[j-nsp] edge acl and interface utilization

tim tiriche tim.tiriche at gmail.com
Wed Feb 3 11:55:05 EST 2016


Hi,

I have a silly question.

If i have 10G interface with an inbound ACL to drop UDP/80

Now, if i have 30G of incoming traffic (with 25G of UDP/80 (bad) + 5G of
TCP/80 (good)).

Will 5G be processed fine during this time?


2nd question:

Are there any ACL recommendation to filter DNS Amplification/reflex attack.
Is there a signature i can use?  With DNSSEC, i cannot filter fragments or
udp > 512bytes.

Any ACL recommendations would be helpful especially around (ip options,
certain tcp flags, udp
flood).

Do folks implement any sort of QOS on the edge for floods?

-Tim


More information about the juniper-nsp mailing list