> Of Aaron Gould > Sent: Friday, June 22, 2018 3:46 PM > > Hi Mike, I would like to hear from others about anything that might be built > into Junos regarding intrusion or ddos types of traffic handling... (I do see > ddos mentioned in cli shown below) since I too will soon have at least 2 and > maybe 3, MX960 boundary routers between my ISP and the internet and will > need to do this in Junos also... > That's not it :) That is to protect the router not your network. You have to do the same thing you did on the ASR9ks (bucket per DDoS vector)
Although what I'd recommend (and this is where decent forwarding asic comes handy) is a hierarchical approach where you divide your public address space into individual buckets at parent level and then do your top 10 DDoS vector rate limiting within each of these individual parent buckets, this approach reduces the collateral damage. adam netconsultings.com ::carrier-class solutions for the telecommunications industry:: _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
