[j-nsp] Marking/shaping UDP reflection traffic
Gert Doering
gert at greenie.muc.de
Wed Mar 9 12:39:01 EST 2022
Hi,
On Wed, Mar 09, 2022 at 05:10:25PM +0000, Dario Amaya via juniper-nsp wrote:
> I am looking to implement shaping/rate limiting of common DDOS
> reflection / amplification UDP traffic on our backbone ports.
>
> if we have a 10G backbone link how would I go about rate-limiting say
> udp/123 to maximum 5Gbps? Is anybody doing this already?
We rate-limit on all "Internet-facing" ports (IXP, transit), and not
on backbone links - why rate-limit when it's already in, instead of just
not letting it in...
We use different classes for UDP/123, UDP/53 (exclude well-known
recursives), fragments, ... and are currently using between 20 and 100
mbit/s for these classes. What is the right number for you depends
on "how much can your customers stomach?" and "how much do you see
under normal conditions?".
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20220309/50543008/attachment.sig>
More information about the juniper-nsp
mailing list