[j-nsp] rate limiting per-user prefix lists

Alexander Arseniev arseniev at btinternet.com
Wed Jan 9 10:37:52 EST 2019


Well, the prefix-action policers would likely relieve congestion on Your 
backhaul MW links but the 100Mbps "last mile" will still be congested, 
with a mix of good and bad packets.

And I would say more bad than good because good traffic (mainly HTTPS 
nowadays) will do TCP backoff at the early stage of congestion and bad 
packets (i.e. UDP flood) will fill the void in the 100Mbps policer buckets.

Have a look at the latest Juniper-Correro DDOS solution that detects the 
attack, finds the packet "fingerprint" & then drops only bad packets, 
and it's all automated




On 08/01/2019 18:58, mike+jnsp at willitsonline.com wrote:
> Hi,
>      My platform is Juniper mx240 running 15.1R6.7 and I'm interested in
> using prefix-action to establish rate limits per user in my network.
>      DDOS attacks targeting single users on my network can frequently
> affect many users who happen to share the same backhaul connectivity
> such as to rural communities served by microwave backhaul. We do a
> certain amount of ddos filtering already, but we would like to tighten
> this up some more and one idea was the use of prefix-action so that no
> single user can be forwarded traffic which clearly they cannot handle.
> In one case, I have a group of users that will not get over 100mbps of
> service individually for example, perhaps it's 4 /24 subnets total in a
> prefix-list called 'my100mbps-endusers'. It would be jim-dandy to guard
> against traffic floods exceeding this 100mbps limit to any specific /32
> in the group. So, I worked out this possible config:
> [edit firewall]
> family inet {
>      prefix-action per-user-100mbps {
>          policer ratelimit-100mbps;
>          destination-prefix-length 32;
>          subnet-prefix-length 24;
>         }
> }
> filter per-user {
>      term max-per-user {
>          from {
>              source-address {
>        ;
>              }
>              destination-prefix-list {
>                  my100mbps-endusers;
>              }
>          }
>          then prefix-action per-user-100mbps;
>      }
> }
> What I am wondering is, a) is this stupid (and would you like some of
> what I am smoking?) b) will I melt my router (along with my brain?) c)
> is there a better strategy (and will judith marry anthony?) d) how
> extensible would this be and could I consider scaling up to 10,000 users
> this way?
> Any comments, operational humor, or stack tracebacks concerning same are
> appreciated. ;-)
> Mike-
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list