Re: [j-nsp] Marking/shaping UDP reflection traffic
On Wed, 9 Mar 2022 at 19:48, Gert Doering via juniper-nsp wrote: > We use different classes for UDP/123, UDP/53 (exclude well-known > recursives), fragments, ... and are currently using between 20 and 100 > mbit/s for these classes. What is the right number for you depends > on "how much can your customers stomach?" and "how much do you see > under normal conditions?". We do the same, but we classify protocols to two classes 'important' and 'unimportant',. Unimportant being protocols we deem not to be used in reality for anything but abuse, and important to be dual-use. 'unimportant' gets policed on port-level out-right and 'important' gets 2coloured on port level, that exceeding traffic gets downgraded below BE. Answering 'what rate is right' is difficult without understanding better how you are policing, where and what your access ports usually look like. Do remember that JNPR policers are per NPU level by default, unlike CSCO which are per interface level and per-NPU level is not even a configurable option. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Marking/shaping UDP reflection traffic
Hi, On Wed, Mar 09, 2022 at 05:10:25PM +, Dario Amaya via juniper-nsp wrote: > I am looking to implement shaping/rate limiting of common DDOS > reflection / amplification UDP traffic on our backbone ports. > > if we have a 10G backbone link how would I go about rate-limiting say > udp/123 to maximum 5Gbps? Is anybody doing this already? We rate-limit on all "Internet-facing" ports (IXP, transit), and not on backbone links - why rate-limit when it's already in, instead of just not letting it in... We use different classes for UDP/123, UDP/53 (exclude well-known recursives), fragments, ... and are currently using between 20 and 100 mbit/s for these classes. What is the right number for you depends on "how much can your customers stomach?" and "how much do you see under normal conditions?". gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Marking/shaping UDP reflection traffic
Hello, I am looking to implement shaping/rate limiting of common DDOS reflection / amplification UDP traffic on our backbone ports. if we have a 10G backbone link how would I go about rate-limiting say udp/123 to maximum 5Gbps? Is anybody doing this already? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp