[j-nsp] DDoS to core interface - mitigation

adamv0025 at netconsultings.com adamv0025 at netconsultings.com
Fri Mar 9 09:48:35 EST 2018


> From: Saku Ytti [mailto:saku at ytti.fi]
> Sent: Friday, March 09, 2018 2:39 PM
> 
> On 9 March 2018 at 16:35,  <adamv0025 at netconsultings.com> wrote:
> 
> 
> > Regarding point b)
> > That one might be cumbersome as IP for CE-PE links in the Internet VRF
> > are usually allocated from either your own public address space (so
> > you'd have to fragment it and not advertising block used for PE-CE
> > links -creating more state in GRT) or come from PI space which you
> > don't have control over yet it's part of your infrastructure.
> 
> In one shop I did /31 or /30 links customer or our pool, but we never
> advertised the connected networks. If far-end for some reason needed
> routed linknetwork, after we tried to demotivate, we crated /32 static route
> for it. So we still didn't have that address as attack surface on the PE from
> outside the PE.
> 
> 
Ooh yes sure, this would also be taken care of by proper iACLs as well.
But I was actually referring to the very appealing idea you proposed in b) to not to even advertise the range -so the DDoS traffic would not even end up at your doorstep as simply the Internet would not have route for any of your p2p links. 

adam 

netconsultings.com
::carrier-class solutions for the telecommunications industry::




More information about the juniper-nsp mailing list