On (2011-08-09 15:11 +0200), bas wrote: Hey,
> I don't see where this has any benefit over a properly configured re > input filter. I agree with this. I was VERY concerned upon seeing this feature, in what order it is processed, as DDOS policers can't differntiate good and bad traffic. Luckily lo0 is evaluated first, so what DDOS policers do or don't do isn't much of relevance to anyone with semi-sane lo0 filter. I also noticed that after passing DDOS policer there seems to be another 10kpps policer before reaching RE. Which is problematic, as some default values in DDOS policer allow 20kpps. I'd really love this pps policing functionality would be exposed to firewall policers, as it is much more useful in lo0 policers than bps policing. > Anyone on this list understand how this feature can be used in any > sensible way against "real" internet DDoS attacks? In my opnion it is just poor-mans lo0 filter. Some things I found, while trying to figure out where the DDOS filter is done: http://ip.fi/punt.txt -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
