Hi Saku, agree with you, LPTS is doing a better job right now... If I'm not wrong or miss interpreting Juniper documentation, Junos ddos aready support per flow ddos (12.3 and later) Best regards Santiago
url: http://www.juniper.net/techpubs/en_US/junos12.3/topics/task/configuration/scfd-enable-globally.html [edit system ddos-protection global<http://www.juniper.net/techpubs/en_US/junos12.3/topics/reference/configuration-statement/global-edit-ddos.html> ]user@host# *set flow-detection <http://www.juniper.net/techpubs/en_US/junos12.3/topics/reference/configuration-statement/enable-scfd-edit-system-ddos-protection.html>* On Thu, Jan 30, 2014 at 2:46 PM, Saku Ytti <s...@ytti.fi> wrote: > On (2014-01-30 14:35 +0400), Misak Khachatryan wrote: > > > Thanks Abhi, i saw this document, but i need real life experience > > about hardening thresholds or implementing additional > > filter/policers. > > In my experience there is some build-in unconfigurable policer to limit how > many packets can hit control-plane. > Under attack, when IGP, BGP, LDP etc are all dead, the UI is happy camper, > with control-plane CPU load in MX960 just few percentage, it should be > dying, > the global policer is just making attackers job easier by essentially > downgrading CPU performance. > > So it probably goes something like this > > traffic => if-filter => lo-filter => ddos-policer => > global-unconfigurable-policer > > Stock limitation to most DDoS policers are 20kpps, which is more than > enough > to bring MX960 to its knees > > If your DDoS policer can see good and bad traffic, low limit will just make > attacking easier. It's mostly useful to catch things lo0 cannot reasonably > protect like HTTP rate (you'd need <=4Mbps policer to have accceptable > pps), > BGP rate, etc and to catch non-IP stuff lo0 cannot handle and to fix > accidental errors causing flood of 'trusted/good' packets. > But in this case, you'd rather keep IGP and BGP rocking than multicast, so > I'd > police all non-critical to under 4kpps in DoS policer. For for critical I'd > try to guarantee only good traffic passes lo0. > > Longer term, JunOS should adapt LPTS from IOS-XR, where each session has > unique policer, making sure that one session attacking does not stop > non-attacking sessions from working. > Shorter term JunOS should add PPS policers in FW filters for proper lo0 > filtering and configurable global policer (I'd just remove it personally). > > > > -- > ++ytti > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp