[j-nsp] edge acl and interface utilization
Saku Ytti
saku at ytti.fi
Wed Feb 3 12:17:27 EST 2016
Hey Tim,
> If i have 10G interface with an inbound ACL to drop UDP/80
>
> Now, if i have 30G of incoming traffic (with 25G of UDP/80 (bad) + 5G of
> TCP/80 (good)).
You can't have 30Gbps incoming interface on 10Gbps interface, the far
end device has to drop 20Gbps of it.
> Will 5G be processed fine during this time?
No, unless you tell the far-end to give priority to it.
> Are there any ACL recommendation to filter DNS Amplification/reflex attack.
> Is there a signature i can use? With DNSSEC, i cannot filter fragments or
> udp > 512bytes.
Shouldn't the be TCP? I don't think there is generic role you can
employ on stateless router ACL to mitigate DNS reflection.
> Any ACL recommendations would be helpful especially around (ip options,
> certain tcp flags, udp
> flood).
IP Options generally can be, and probably should be dropped in network edge.
> Do folks implement any sort of QOS on the edge for floods?
Yes, lot of eyeball networks limit or deprioritise all UDP or some UDP
ports at border. Some outright drop specific UDP packet types,
specific port+length. On JunOS MX today you can match on arbitrary
bytes and bits in packets in offsets quite far inside the packet, so
if there is clear signature of abuse-packet, flexible packet matching
can be used to drop or police it.
--
++ytti
More information about the juniper-nsp
mailing list