Hi, On Wed, Mar 09, 2022 at 05:10:25PM +0000, Dario Amaya via juniper-nsp wrote: > I am looking to implement shaping/rate limiting of common DDOS > reflection / amplification UDP traffic on our backbone ports. > > if we have a 10G backbone link how would I go about rate-limiting say > udp/123 to maximum 5Gbps? Is anybody doing this already?
We rate-limit on all "Internet-facing" ports (IXP, transit), and not
on backbone links - why rate-limit when it's already in, instead of just
not letting it in...
We use different classes for UDP/123, UDP/53 (exclude well-known
recursives), fragments, ... and are currently using between 20 and 100
mbit/s for these classes. What is the right number for you depends
on "how much can your customers stomach?" and "how much do you see
under normal conditions?".
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
