Thanks Roland, Your link has tons of material, after reading all wonderful comments from all you guys look like Router + BGP + ACL will be good solution as someone mentioned Stateful firewall has own limitation and it can't scale. Routers work at HW layer so it will provide more PPS and faster performance when we will be under water.
We are currently using Suricata IDS to detect DDoS which is really great Opensource software. On Thu, Apr 14, 2016 at 8:07 PM, Roland Dobbins <rdobb...@arbor.net> wrote: > On 15 Apr 2016, at 4:35, Satish Patel wrote: > >> We thought about ASR firewall too but not sure because it can >> handle DDoS or not. > > > Stateful firewalls aren't good at dealing with DDoS attacks - they go down > more quickly that 'naked' hosts due to state-table exhaustion (link to .pdf > preso): > > <https://app.box.com/s/a3oqqlgwe15j8svojvzl> > > S/RTBH, flowspec, and possibly intelligent DDoS mitigation systems (IDMSes) > are tools you can utilize to deal with DDoS attacks. > > [Full disclosure: I work for a vendor of such systems.] > > You also need to ensure that you implement BCPs like iACLs in order to > ensure that your network infrastructure devices themselves are protected > against DDoS attacks. > > This is an older post on NANOG, but it still has relevance, IMHO: > > <http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html> > > Again, be sure to include flowspec (supported on Juniper platforms for a > long time, now finally supported on some Cisco platforms) in your toolkit. > > There are other .pdf presos related to DDoS defense which may be of interest > here: > > <https://app.box.com/s/4h2l6f4m8is6jnwk28cg> > > ----------------------------------- > Roland Dobbins <rdobb...@arbor.net> > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp