Juniper DOS/Blackhole question

Jack Bates jbates at
Sun Oct 23 03:26:46 UTC 2011

On 10/22/2011 10:14 PM, Stefan Fouant wrote:
> Enabling BGP multi-hop is a very common approach with DDoS Mitigation services and also variations of Remote-Triggered Black Holes where the discard route isn't localized on the edge router.  This is not because the customer router will be greater than one hop away, but because enabling multi-hop has an additional side effect of disabling next-hop validation. Without this enabled, the edge router will invalidate the “mitigate” routes received from the customer because the next-hop is not directly reachable via the neighbor.
yeah, I didn't think of that side effect, probably because I don't 
modify next-hops myself.

> Not sure about the PPS limitations... The PFE ASICs should be able to handle a 750Mbps / 1.5 Mpps DoS pretty easy...

That's what I'm thinking. My m120 shows 0 problems with the load, but 2 
of my transits dropped packets to me without saturating their respective 
links. I expected more out of NSPs.


More information about the NANOG mailing list