Actually, we used mx80's as our Internet routers. What do you suppose I use to handle my firewalling, ipsec and nat?
Thank you everyone, I will pop back to this thread when I change things up and have our security guy test again. Sent from my iPhone On Jun 22, 2012, at 9:39 PM, joel jaeggli <joe...@bogus.com> wrote: > On 6/22/12 9:49 AM, Morgan Mclean wrote: >> This is exactly what happened. The session table filled up. One of our >> security guys took down our edge 650 cluster from a single unix box out on >> the net. > This is what happens when you use a stateful box for an internet router. > > a router with a covering aggreate and some knowledge of the more specifc on > the interior would inexpensively discard traffic bound for unreachable > destinations. >> >> Sent from my iPhone >> >> On Jun 22, 2012, at 4:39 AM, "Scott T. Cameron" <routeh...@gmail.com> wrote: >> >>> On Wed, Jun 20, 2012 at 10:14 PM, Morgan McLean <wrx...@gmail.com> wrote: >>> >>>> I have a /24 I want to announce, but I don't actually have it anywhere on >>>> the network. I NAT some of its IP's on the SRX that has the BGP session >>>> with our providers. >>>> >>>> I've been using static routes with the discard flag, but I don't really >>>> like the way the SRX handles traffic. It still creates sessions for traffic >>>> destined to IP's not used anywhere (hitting the static route) and can be >>>> easily dos'd because of this. >>>> >>>> Is there a better way to just tell our providers hey, we have this range? >>>> >>>> >>> It sounds like you're using the SRX as an edge router with a BGP session >>> upstream? >>> >>> I don't have this architecture here, but I had the same problem. I had my >>> edge router announce the /24 to the BGP upstreams, and my SRX announce the >>> /24 via OSPF to the MX. >>> >>> Unfortunately, one of my IPs was hammered, and filled up the session table >>> with invalid sessions. That's the real issue, at least in my case, was >>> that even invalid sessions were taking a session, and prohibiting >>> legitimate traffic from flowing. >>> >>> The solution was only to announce from SRX to MX (edge router) the /32s >>> that were actually in use. >>> >>> I suppose that a firewall filter may help on your ingress ports to only >>> permit the traffic to the /32s that are actually in use, but I can't say >>> from experience if this will happen before a session is created, even in >>> invalid state. >>> >>> Scott >>> _______________________________________________ >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp