[j-nsp] Negative ARP caching, on an MX router (again)

Saku Ytti saku at ytti.fi
Wed Apr 5 10:02:06 EDT 2017


On 5 April 2017 at 16:45, Nitzan Tzelniker <nitzan.tzelniker at gmail.com> wrote:

Hey,

> Did someone test if ddos-protraction for protocol resolve with
> flow-detection detect the source IP and drop its requests

I'm sure it works, but you only have about 5k policers for all of
ddos-protection, so keeping 'sub' level detection on is easy for
attacker to congest. So realistically most precise limit you get is
IFL limit.
You definitely should configure ddos-protection, flow detection, and
manually configure pps limits for _all_ protocols, aggregate level and
ifd/ifl level, and turn off sub detection.

Hold in FIB is much better, as scale you need is only amount of DADDR
there is in LAN, instead of amount of SADDR Internet has. You
definitely should have both, but if single address is being hammered,
you don't want to congest ddos-protection policer and punish all
resolve coming from same IFL, you just want to drop packets going to
that unresolvable DADDR before hitting ddos-protection.
I.e. sane config would have long (5min?) 'hold' time + maybe 1000pps
aggregate, 100pps ifl limit for resolve.

-- 
  ++ytti


More information about the juniper-nsp mailing list