In my opinion trying to scrub DDoS traffic yourself is a losing battle. Its likely that an attacker can easily fill the ingress points onto your network. If this is the case, then legitimate traffic will be dropped before it even hits you. The damage is already done. The only way around this is bigger links, which can be costly and your not even guaranteed to have links big enough to cope with an attack.
You're better off looking at your upstreams to assist you with this. They likely have some form of traffic scrubbing solution that you can employ when under attack. Its likely a lot easier for you to administrate too. Regards, Dave On 14 April 2016 at 22:57, Payam Chychi <pchy...@gmail.com> wrote: > What gear do you currently have? What do your filtering rules look like? > You don't need to buy new gear if your filtering much of the bad traffic at > the edge using simple ACLs > > > > On Apr 14, 2016, 2:39 PM -0700, Dovid Bender<do...@telecurve.com>, wrote: > > Why not use an external service to scrub your traffic? > > > > Regards, > > > > Dovid > > > > -----Original Message----- > > From: Satish Patel<satish....@gmail.com > > Sender: "juniper-nsp"<juniper-nsp-boun...@puck.nether.net>Date: Thu, 14 > Apr 2016 17:35:17 > > To:<juniper-nsp@puck.nether.net > > Subject: [j-nsp] Cisco vs Juniper confused > > > > This is my first port here, We are small size of company and now we > > are getting harsh by DDoS stuff. We have 10G link in our network > > terminated on L3 Cisco switch and from there other switches. > > Everything was working great but recently we started seeing DDoS more > > and more. They are filling 10G link using NTP, IPFrag etc. attack. > > > > Now we are looking for big gear so we keep bad guys out and scrub > > traffic but confused between Juniper Vs Cisco war.. I am not able to > > decide what to buy and how it will help us. I have following in my > > mind, We thought about ASR firewall too but not sure because it can > > handle DDoS or not. > > > > Need your suggestion what i should buy and why? One more thing we are > > planning to run BGP so we can do null triggering etc. > > > > MX80 vs ASR100X - Does this enough to handle DDoS and filter traffic? > > > > MX240 vs ASR900X > > _______________________________________________ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > _______________________________________________ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
