Re: [j-nsp] rate limiting per-user prefix lists

Wed, 09 Jan 2019 07:38:55 -0800 

Hello,
Well, the prefix-action policers would likely relieve congestion on Your backhaul MW links but the 100Mbps "last mile" will still be congested, with a mix of good and bad packets. 


And I would say more bad than good because good traffic (mainly HTTPS 
nowadays) will do TCP backoff at the early stage of congestion and bad 
packets (i.e. UDP flood) will fill the void in the 100Mbps policer buckets.



Have a look at the latest Juniper-Correro DDOS solution that detects the 
attack, finds the packet "fingerprint" & then drops only bad packets, 
and it's all automated



https://www.corero.com/resources/data-sheets/juniper-networks-solution-brief/ 



HTH

Thx
Alex

On 08/01/2019 18:58, mike+j...@willitsonline.com wrote:

Hi,

     My platform is Juniper mx240 running 15.1R6.7 and I'm interested in
using prefix-action to establish rate limits per user in my network.

     DDOS attacks targeting single users on my network can frequently
affect many users who happen to share the same backhaul connectivity
such as to rural communities served by microwave backhaul. We do a
certain amount of ddos filtering already, but we would like to tighten
this up some more and one idea was the use of prefix-action so that no
single user can be forwarded traffic which clearly they cannot handle.
In one case, I have a group of users that will not get over 100mbps of
service individually for example, perhaps it's 4 /24 subnets total in a
prefix-list called 'my100mbps-endusers'. It would be jim-dandy to guard
against traffic floods exceeding this 100mbps limit to any specific /32
in the group. So, I worked out this possible config:


[edit firewall]

family inet {

     prefix-action per-user-100mbps {
         policer ratelimit-100mbps;
         destination-prefix-length 32;
         subnet-prefix-length 24;

        }
}
filter per-user {
     term max-per-user {
         from {
             source-address {
                 0.0.0.0/0;
             }
             destination-prefix-list {
                 my100mbps-endusers;
             }
         }
         then prefix-action per-user-100mbps;
     }

}

What I am wondering is, a) is this stupid (and would you like some of
what I am smoking?) b) will I melt my router (along with my brain?) c)
is there a better strategy (and will judith marry anthony?) d) how
extensible would this be and could I consider scaling up to 10,000 users
this way?

Any comments, operational humor, or stack tracebacks concerning same are
appreciated. ;-)


Mike-


_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp






















					Reply via email to