[j-nsp] Marking/shaping UDP reflection traffic

Gert Doering gert at greenie.muc.de
Wed Mar 9 12:39:01 EST 2022


Hi,

On Wed, Mar 09, 2022 at 05:10:25PM +0000, Dario Amaya via juniper-nsp wrote:
> I am looking to implement shaping/rate limiting of common DDOS
> reflection / amplification UDP traffic on our backbone ports.
> 
> if we have a 10G backbone link how would I go about rate-limiting say
> udp/123 to maximum 5Gbps? Is anybody doing this already?

We rate-limit on all "Internet-facing" ports (IXP, transit), and not
on backbone links - why rate-limit when it's already in, instead of just
not letting it in...

We use different classes for UDP/123, UDP/53 (exclude well-known
recursives), fragments, ... and are currently using between 20 and 100
mbit/s for these classes.  What is the right number for you depends
on "how much can your customers stomach?" and "how much do you see
under normal conditions?".

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20220309/50543008/attachment.sig>


More information about the juniper-nsp mailing list