Effective ways to deal with DDoS attacks?

Thu May 2 16:53:38 UTC 2002

On Thu, May 02, 2002 at 09:41:33AM -0700, LeBlanc, Jason wrote:
> 
> Yes, Juniper can be convinced to add things, we've asked for a few.  ;)
> Part of the problem with asking for new things on an ASIC, takes time.
> Anything they add in their code to help filter will likely not be done
> in hardware, meaning potential impact.  I know some people need to
> filter on their routers for various reasons, but my thoughts are to
> minimize this.  A router that is working hard at just forwarding packets
> doesn't need to extra overhead of looking deep into packet headers to
> figure out what to do with packets.  Juniper is better at this, as are
> some Cisco products, but the GSR is a crappy packet filter if you put
> enough traffic through it.  Yes certain linecards are better than
> others, but the newer they are the more buggy they are, and we're
> talking HW here, so bug fixes will be awhile.

I think you're misunderstanding how this works.

http://www.juniper.net/news/features/ipii/faq_ip2.html
http://www.juniper.net/techcenter/techpapers/200015-03.html

3. How does the Internet Processor II ASIC enable service providers to
upgrade functionality without upgrading hardware? Essentially, the
Internet Processor II ASIC contains logic that implements a number of
lookup algorithms, including trees, tables, firewall programs, and a way
to chain those individual lookups together in an arbitrary sequence. The
final answer to an entire lookup, then, is the result of all the matches
that were run. By implementing complex lookups as a series of fundamental
primitives, the ASIC can support almost anything for which an application
can be described. Since the ASIC implementation is so general, new
functionality can be enabled in JUNOS software upgrades without having to
swap hardware.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)