[145808] in North American Network Operators' Group
Re: Juniper DOS/Blackhole question
daemon@ATHENA.MIT.EDU (Stefan Fouant)
Sat Oct 22 23:15:13 2011
In-Reply-To: <4EA37016.9050402@brightok.net>
From: Stefan Fouant <sfouant@shortestpathfirst.net>
Date: Sat, 22 Oct 2011 23:14:14 -0400
To: Jack Bates <jbates@brightok.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Enabling BGP multi-hop is a very common approach with DDoS Mitigation servic=
es and also variations of Remote-Triggered Black Holes where the discard rou=
te isn't localized on the edge router. This is not because the customer rou=
ter will be greater than one hop away, but because enabling multi-hop has an=
additional side effect of disabling next-hop validation. Without this enabl=
ed, the edge router will invalidate the =E2=80=9Cmitigate=E2=80=9D routes re=
ceived from the customer because the next-hop is not directly reachable via t=
he neighbor.
Not sure about the PPS limitations... The PFE ASICs should be able to handle=
a 750Mbps / 1.5 Mpps DoS pretty easy...
HTHs.
Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI
Technical Trainer, Juniper Networks
Follow us on Twitter @JuniperEducate
Sent from my iPad
On Oct 22, 2011, at 9:38 PM, Jack Bates <jbates@brightok.net> wrote:
> Considered j-nsp, but this just feels more nanog appropriate.
>=20
> I'm told by one of my NSPs that I'm connected to a juniper. We were dealin=
g with a DOS, and for some reason remote triggered DOS prevention via BGP wa=
sn't working. The NOC said they had to enable multihop to my peering to make=
it work, otherwise it wouldn't accept the route. This seems strange to me. A=
ny idea why a route would be rejected unless multihop was enabled?
>=20
> Also, any idea why a Juniper couldn't handle a simple 750mbit/s, 1.5Mpps D=
OS? Don't get me wrong, it could have been more than that. I was just receiv=
ing that much of the DOS and my lower end m120 didn't seem to think it an is=
sue, so I'm curious why I was dropping packets on the link to begin with. In=
terestingly, I have an OC-12 to another NSP who was also dropping after arou=
nd 1.2Mpps (last time I asked, they said the oc-12 hit a cisco 7600).
>=20
>=20
> Jack
>=20
