[j-nsp] DDoS to core interface - mitigation
adamv0025 at netconsultings.com
adamv0025 at netconsultings.com
Fri Mar 9 09:35:25 EST 2018
> Of Roland Dobbins
> Sent: Friday, March 09, 2018 3:20 AM
>
>
> On 9 Mar 2018, at 3:35, Saku Ytti wrote:
>
> > a) have edgeACL which polices ICMP and UDP high ports to your links
> > and drops rest
> > b) don't advertise your links in IGP or iBGP
>
> This. iACL plus no link advertisement (need a sound addressing plan to
make
> both practical at scale).
>
Well having a dedicated infrastructure address blocks for p2p links and
loopbacks is an absolute must, if absent it should be one's priority 1
project.
Regarding point b)
That one might be cumbersome as IP for CE-PE links in the Internet VRF are
usually allocated from either your own public address space (so you'd have
to fragment it and not advertising block used for PE-CE links -creating more
state in GRT) or come from PI space which you don't have control over yet
it's part of your infrastructure.
adam
netconsultings.com
::carrier-class solutions for the telecommunications industry::
More information about the juniper-nsp
mailing list