> On Jan 3, 2019, at 3:34 PM, Saku Ytti <s...@ytti.fi> wrote: > > On Thu, 3 Jan 2019 at 22:23, Jason Lixfeld <jason-j...@lixfeld.ca> wrote: > >> If you match on specific source (and presumably specific destination) >> addresses, why is a directionally agnostic port match bad? Or is it not so >> much bad as it is being too lazy to create a second term or an established >> filter/term? > > Because they can set SPORT==BGP and DPORT==SSH and hammer your SSH.
Ah, of course. >>> e) have ultimate deny all rule >>> >>> On top of that, configure _every_ ddos-protection protocol. >> >> Assuming a policer falls into the category of ddos-protection protocol, what >> sorts of others are you referring to? > > MX has specific configuration called 'ddos-protection' which covers > many protocols L3 and others and is fixing the problem of one bad > actor (one bad BGP session) causing collateral damage. Good to know, thanks. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp