[j-nsp] RE filter BCP
Jason Lixfeld
jason-jnsp at lixfeld.ca
Thu Jan 3 16:01:59 EST 2019
> On Jan 3, 2019, at 3:34 PM, Saku Ytti <saku at ytti.fi> wrote:
>
> On Thu, 3 Jan 2019 at 22:23, Jason Lixfeld <jason-jnsp at lixfeld.ca> wrote:
>
>> If you match on specific source (and presumably specific destination) addresses, why is a directionally agnostic port match bad? Or is it not so much bad as it is being too lazy to create a second term or an established filter/term?
>
> Because they can set SPORT==BGP and DPORT==SSH and hammer your SSH.
Ah, of course.
>>> e) have ultimate deny all rule
>>>
>>> On top of that, configure _every_ ddos-protection protocol.
>>
>> Assuming a policer falls into the category of ddos-protection protocol, what sorts of others are you referring to?
>
> MX has specific configuration called 'ddos-protection' which covers
> many protocols L3 and others and is fixing the problem of one bad
> actor (one bad BGP session) causing collateral damage.
Good to know, thanks.
More information about the juniper-nsp
mailing list