nanog mailing list archives
Re: Juniper DOS/Blackhole question
From: Jack Bates <jbates () brightok net>
Date: Sat, 22 Oct 2011 22:26:46 -0500
On 10/22/2011 10:14 PM, Stefan Fouant wrote:
yeah, I didn't think of that side effect, probably because I don't modify next-hops myself.Enabling BGP multi-hop is a very common approach with DDoS Mitigation services and also variations of Remote-Triggered Black Holes where the discard route isn't localized on the edge router. This is not because the customer router will be greater than one hop away, but because enabling multi-hop has an additional side effect of disabling next-hop validation. Without this enabled, the edge router will invalidate the “mitigate” routes received from the customer because the next-hop is not directly reachable via the neighbor.
Not sure about the PPS limitations... The PFE ASICs should be able to handle a 750Mbps / 1.5 Mpps DoS pretty easy...
That's what I'm thinking. My m120 shows 0 problems with the load, but 2 of my transits dropped packets to me without saturating their respective links. I expected more out of NSPs.
Jack
Current thread:
- Juniper DOS/Blackhole question Jack Bates (Oct 22)
- Re: Juniper DOS/Blackhole question Stefan Fouant (Oct 22)
- Re: Juniper DOS/Blackhole question Jack Bates (Oct 22)
- Re: Juniper DOS/Blackhole question Christopher Morrow (Oct 22)
- Re: Juniper DOS/Blackhole question Jack Bates (Oct 22)
- Re: Juniper DOS/Blackhole question Saku Ytti (Oct 23)
- Re: Juniper DOS/Blackhole question Jack Bates (Oct 23)
- Re: Juniper DOS/Blackhole question Stefan Fouant (Oct 22)