[j-nsp] DDoS to core interface - mitigation
Roland Dobbins
rdobbins at arbor.net
Thu Mar 8 22:20:02 EST 2018
On 9 Mar 2018, at 3:35, Saku Ytti wrote:
> a) have edgeACL which polices ICMP and UDP high ports to your links
> and drops rest
> b) don't advertise your links in IGP or iBGP
This. iACL plus no link advertisement (need a sound addressing plan to
make both practical at scale).
Here's a link to a .pdf preso which talks about network infrastructure
self-protection. It's Cisco-centric because that's my background, but
the concepts are universal:
<https://app.box.com/s/osk4po8ietn1zrjjmn8b>
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the juniper-nsp
mailing list