[j-nsp] essential network rate limiting and ddos mitigation

[mike+jnsp at willitsonline.com]

Hello,


    I am very new to juniper, please pardon my ignorance.


    I have an MX240, and I have a 10G link to my upstream. I have
several other links facing my customers and hosting infrastructure which
all run at something decidedly less than 10G. Im interested in
implementing some network rate limit controls so that certain common
attacks like dns / ldap / memcache reflection can be rate limited down
to reasonable levels and avoid trying to forward a 4gbps stream down a
100mbps pipe. I know I want a layered system of policies and that I want
to include perhaps sampling and such with jflow or other tools and rtbh,
but for right now having even just basic limits on known reflection
attack protocols would be a huge step forward.

    I was wondering what the 'quick and dirty' setup of rate limiting
the forwarding of certain protocols and to certain destination networks
/ interfaces would look like on this platform. Some basic config
snippets would be a huge help.


Thank you.

Mike-