On Nov 18, 2009, at 2:38 PM, Ben Steele wrote: > any attack > 100Mbs is going to be dropped(tail-drop/rate-limit whatever > method the ISP implements) before it even makes it to the poor software-based > router and given the almost 300Mbs @ 64-byte spec I don't think it would have > a problem with it, usual CoPP applying.
You're assuming the attack is 'inbound' - often, this isn't the case. ;> I've also seen software-based routers absolutely crushed by the sheer number of flows engendered by DNS amplification attacks, when an open recursor is soutbhound of said software-based router and the miscreants are bouncing an attack through it. ----------------------------------------------------------------------- Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp