[j-nsp] DDoS to core interface - mitigation

adamv0025 at netconsultings.com adamv0025 at netconsultings.com
Fri Mar 9 09:35:25 EST 2018


> Of Roland Dobbins
> Sent: Friday, March 09, 2018 3:20 AM
> 
> 
> On 9 Mar 2018, at 3:35, Saku Ytti wrote:
> 
> > a) have edgeACL which polices ICMP and UDP high ports to your links
> > and drops rest
> > b) don't advertise your links in IGP or iBGP
> 
> This.  iACL plus no link advertisement (need a sound addressing plan to
make
> both practical at scale).
> 
Well having a dedicated infrastructure address blocks for p2p links and
loopbacks is an absolute must, if absent it should be one's priority 1
project.

Regarding point b) 
That one might be cumbersome as IP for CE-PE links in the Internet VRF are
usually allocated from either your own public address space (so you'd have
to fragment it and not advertising block used for PE-CE links -creating more
state in GRT) or come from PI space which you don't have control over yet
it's part of your infrastructure.
 
adam

netconsultings.com
::carrier-class solutions for the telecommunications industry::



More information about the juniper-nsp mailing list