[j-nsp] essential network rate limiting and ddos mitigation
adamv0025 at netconsultings.com
adamv0025 at netconsultings.com
Wed Jun 27 18:46:41 EDT 2018
> Of Aaron Gould
> Sent: Friday, June 22, 2018 3:46 PM
>
> Hi Mike, I would like to hear from others about anything that might be
built
> into Junos regarding intrusion or ddos types of traffic handling... (I do
see
> ddos mentioned in cli shown below) since I too will soon have at least 2
and
> maybe 3, MX960 boundary routers between my ISP and the internet and will
> need to do this in Junos also...
>
That's not it :)
That is to protect the router not your network.
You have to do the same thing you did on the ASR9ks (bucket per DDoS vector)
Although what I'd recommend (and this is where decent forwarding asic comes
handy) is a hierarchical approach where you divide your public address space
into individual buckets at parent level and then do your top 10 DDoS vector
rate limiting within each of these individual parent buckets, this approach
reduces the collateral damage.
adam
netconsultings.com
::carrier-class solutions for the telecommunications industry::
More information about the juniper-nsp
mailing list