[j-nsp] edge acl and interface utilization

[Payam Chychi]

On Thursday, February 4, 2016 at 5:24 AM, Adam Vitkovsky wrote:

> Hi Tim,
> > Of tim tiriche
> > Sent: Wednesday, February 03, 2016 4:55 PM
> >  
> > Hi,
> >  
> > I have a silly question.
> >  
> > If i have 10G interface with an inbound ACL to drop UDP/80
> >  
> > Now, if i have 30G of incoming traffic (with 25G of UDP/80 (bad) + 5G of
> > TCP/80 (good)).
> >  
> > Will 5G be processed fine during this time?
> >  
> >  
> > 2nd question:
> >  
> > Are there any ACL recommendation to filter DNS Amplification/reflex attack.
> > Is there a signature i can use? With DNSSEC, i cannot filter fragments or udp
> > > 512bytes.
> >  
> >  
> > Any ACL recommendations would be helpful especially around (ip options,
> > certain tcp flags, udp flood).
> >  
> > Do folks implement any sort of QOS on the edge for floods?
> >  
> > -Tim
> Be aware that LU performance degradates depending on number of enabled features and their complexity. So test your filter before deployment.
>  
> adam
>  
>  
>  
>  
>  
>  
> Adam Vitkovsky
> IP Engineer
>  
> T: 0333 006 5936
> E: Adam.Vitkovsky at gamma.co.uk
> W: www.gamma.co.uk
>  
> This is an email from Gamma Telecom Ltd, trading as “Gamma”. The contents of this email are confidential to the ordinary user of the email address to which it was addressed. This email is not intended to create any legal relationship. No one else may place any reliance upon it, or copy or forward all or any of it in any form (unless otherwise notified). If you receive this email in error, please accept our apologies, we would be obliged if you would telephone our postmaster on +44 (0) 808 178 9652 or email postmaster at gamma.co.uk
>  
> Gamma Telecom Limited, a company incorporated in England and Wales, with limited liability, with registered number 04340834, and whose registered office is at 5 Fleet Place London EC4M 7RD and whose principal place of business is at Kings House, Kings Road West, Newbury, Berkshire, RG14 5BY.
>  
>  
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>  
>  


If you are eating 30gig on a 10gig interface, you might want to get your provider involved since it wont matter what you do on an acl level, its already saturating your pipe.

Also, you get better performance when the acl is outbound direction from the interface lrespective, so out from your edge to cor/dis/...

Recap, you need more capacity or a way to move the filter onto your provider. If all fails and you cant have everything offline then nullroute / blackhoke the address at your provider level and get some ddos mitigation service