[j-nsp] DDoS to core interface - mitigation

Roland Dobbins rdobbins at arbor.net
Thu Mar 8 22:20:02 EST 2018


On 9 Mar 2018, at 3:35, Saku Ytti wrote:

> a) have edgeACL which polices ICMP and UDP high ports to your links
> and drops rest
> b) don't advertise your links in IGP or iBGP

This.  iACL plus no link advertisement (need a sound addressing plan to 
make both practical at scale).

Here's a link to a .pdf preso which talks about network infrastructure 
self-protection.  It's Cisco-centric because that's my background, but 
the concepts are universal:

<https://app.box.com/s/osk4po8ietn1zrjjmn8b>

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>


More information about the juniper-nsp mailing list