Juniper DOS/Blackhole question

Stefan Fouant sfouant at shortestpathfirst.net
Sat Oct 22 22:14:14 CDT 2011


Enabling BGP multi-hop is a very common approach with DDoS Mitigation services and also variations of Remote-Triggered Black Holes where the discard route isn't localized on the edge router.  This is not because the customer router will be greater than one hop away, but because enabling multi-hop has an additional side effect of disabling next-hop validation. Without this enabled, the edge router will invalidate the “mitigate” routes received from the customer because the next-hop is not directly reachable via the neighbor.

Not sure about the PPS limitations... The PFE ASICs should be able to handle a 750Mbps / 1.5 Mpps DoS pretty easy...

HTHs.

Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate

Sent from my iPad

On Oct 22, 2011, at 9:38 PM, Jack Bates <jbates at brightok.net> wrote:

> Considered j-nsp, but this just feels more nanog appropriate.
> 
> I'm told by one of my NSPs that I'm connected to a juniper. We were dealing with a DOS, and for some reason remote triggered DOS prevention via BGP wasn't working. The NOC said they had to enable multihop to my peering to make it work, otherwise it wouldn't accept the route. This seems strange to me. Any idea why a route would be rejected unless multihop was enabled?
> 
> Also, any idea why a Juniper couldn't handle a simple 750mbit/s, 1.5Mpps DOS? Don't get me wrong, it could have been more than that. I was just receiving that much of the DOS and my lower end m120 didn't seem to think it an issue, so I'm curious why I was dropping packets on the link to begin with. Interestingly, I have an OC-12 to another NSP who was also dropping after around 1.2Mpps (last time I asked, they said the oc-12 hit a cisco 7600).
> 
> 
> Jack
> 



More information about the NANOG mailing list