Re: [j-nsp] Decoding DDOS messages

2020-03-22 Thread adamv0025
> Saku Ytti > Sent: Wednesday, March 18, 2020 4:37 PM > > On Wed, 18 Mar 2020 at 18:30, John Kristoff wrote: > > > Yep, I get all that. I can tighten that up. Care to show us how you > > do loopback filters? > > Really Juniper would be in the best position to automatically generate > lo0

Re: [j-nsp] Decoding DDOS messages

2020-03-18 Thread Jason Healy
Saku, Thank you for your responses. I'm trying to learn about this as I go... On Mar 18, 2020, at 10:39 AM, Saku Ytti wrote: > > Your L2 should be in its virtual-switch/vpls (doesn't imply VPLS) > instance with forwarding-plane filter policing BUM. But unrelatd to > subject. You might need

Re: [j-nsp] Decoding DDOS messages

2020-03-18 Thread Saku Ytti
On Wed, 18 Mar 2020 at 18:30, John Kristoff wrote: > Yep, I get all that. I can tighten that up. Care to show us how you > do loopback filters? It is situational, it's hard to come up with one-size-fits-all. One approach would be basic skeleton, on top of which people then expand what they

Re: [j-nsp] Decoding DDOS messages

2020-03-18 Thread John Kristoff
On Wed, 18 Mar 2020 16:18:18 + Saku Ytti wrote: > I set SPORT to 179 > I access your SSH port Yep, I get all that. I can tighten that up. Care to show us how you do loopback filters? John ___ juniper-nsp mailing list juniper-nsp@puck.nether.net

Re: [j-nsp] Decoding DDOS messages

2020-03-18 Thread Saku Ytti
This wasn't the only problem, there are many issues, it's normal, I've not read single lo0 filter in real network which isn't fundamentally broken. Trying to tactically address the problems is waste of time when redesign is needed. On Wed, 18 Mar 2020 at 18:18, Saku Ytti wrote: > > I'm your BGP

Re: [j-nsp] Decoding DDOS messages

2020-03-18 Thread Saku Ytti
I'm your BGP speaker. I set SPORT to 179 I access your SSH port On Wed, 18 Mar 2020 at 18:16, John Kristoff wrote: > > On Wed, 18 Mar 2020 16:02:09 + > Saku Ytti wrote: > > > It is completely broken, you use 'port' so you expose every port in your > > system. > > Ha, OK thanks. I think

Re: [j-nsp] Decoding DDOS messages

2020-03-18 Thread John Kristoff
On Wed, 18 Mar 2020 16:02:09 + Saku Ytti wrote: > It is completely broken, you use 'port' so you expose every port in your > system. Ha, OK thanks. I think that would require some not so easy spoofing unless I'm missing something. We can convert any statement that just uses port to

Re: [j-nsp] Decoding DDOS messages

2020-03-18 Thread Saku Ytti
On Wed, 18 Mar 2020 at 17:01, John Kristoff wrote: > It is completely broken, you use 'port' so you expose every port in your system. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net

Re: [j-nsp] Decoding DDOS messages

2020-03-18 Thread John Kristoff
On Wed, 18 Mar 2020 14:39:19 + Saku Ytti wrote: > Unfortunately even non-broken lo0 filter is extremely uncommon, even > MX book has fundamentally broken example, as is CYMRU example. Team Cymru only lists a Cisco BGP, general NTP (which includes a Juniper example), and Juniper IP multicast

Re: [j-nsp] Decoding DDOS messages

2020-03-18 Thread Tom Beecher
This is the most recent Juniper document I had bookmarked for the QFX. https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/protocols-edit-ddos-qfx-series.html I agree with Saku that the ddos-policer is a good tool to use, but as he said it requires turning

Re: [j-nsp] Decoding DDOS messages

2020-03-18 Thread Saku Ytti
Hey Jason, > Questions about the ddos-protection "features". We're on a qfx5100-48 > running 16.1. I know that folks on the list aren't always big fans of > ddos-protection; I'm just trying to understand what is triggering it so I can > make decisions about tuning/disabling/ignoring it. I