[j-nsp] rate limiting per-user prefix lists

mike+jnsp at willitsonline.com mike+jnsp at willitsonline.com
Tue Jan 8 13:58:25 EST 2019


    My platform is Juniper mx240 running 15.1R6.7 and I'm interested in
using prefix-action to establish rate limits per user in my network.

    DDOS attacks targeting single users on my network can frequently
affect many users who happen to share the same backhaul connectivity
such as to rural communities served by microwave backhaul. We do a
certain amount of ddos filtering already, but we would like to tighten
this up some more and one idea was the use of prefix-action so that no
single user can be forwarded traffic which clearly they cannot handle.
In one case, I have a group of users that will not get over 100mbps of
service individually for example, perhaps it's 4 /24 subnets total in a
prefix-list called 'my100mbps-endusers'. It would be jim-dandy to guard
against traffic floods exceeding this 100mbps limit to any specific /32
in the group. So, I worked out this possible config:

[edit firewall]

family inet {

    prefix-action per-user-100mbps {
        policer ratelimit-100mbps;
        destination-prefix-length 32;
        subnet-prefix-length 24;

filter per-user {
    term max-per-user {
        from {
            source-address {
            destination-prefix-list {
        then prefix-action per-user-100mbps;


What I am wondering is, a) is this stupid (and would you like some of
what I am smoking?) b) will I melt my router (along with my brain?) c)
is there a better strategy (and will judith marry anthony?) d) how
extensible would this be and could I consider scaling up to 10,000 users
this way?

Any comments, operational humor, or stack tracebacks concerning same are
appreciated. ;-)


More information about the juniper-nsp mailing list