Mailing List Archive: Marking/shaping UDP reflection traffic

Marking/shaping UDP reflection traffic

Mar 9, 2022, 9:10 AM

Post #1 of 3 (398 views)

Hello,

I am looking to implement shaping/rate limiting of common DDOS
reflection / amplification UDP traffic on our backbone ports.

if we have a 10G backbone link how would I go about rate-limiting say
udp/123 to maximum 5Gbps? Is anybody doing this already?
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: Marking/shaping UDP reflection traffic [ In reply to ]

juniper-nsp at puck

Mar 9, 2022, 9:39 AM

Post #2 of 3 (398 views)

Permalink

Hi,

On Wed, Mar 09, 2022 at 05:10:25PM +0000, Dario Amaya via juniper-nsp wrote:
> I am looking to implement shaping/rate limiting of common DDOS
> reflection / amplification UDP traffic on our backbone ports.
>
> if we have a 10G backbone link how would I go about rate-limiting say
> udp/123 to maximum 5Gbps? Is anybody doing this already?

We rate-limit on all "Internet-facing" ports (IXP, transit), and not
on backbone links - why rate-limit when it's already in, instead of just
not letting it in...

We use different classes for UDP/123, UDP/53 (exclude well-known
recursives), fragments, ... and are currently using between 20 and 100
mbit/s for these classes. What is the right number for you depends
on "how much can your customers stomach?" and "how much do you see
under normal conditions?".

gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany gert@greenie.muc.de

Re: Marking/shaping UDP reflection traffic [ In reply to ]

juniper-nsp at puck

Mar 9, 2022, 11:43 PM

Post #3 of 3 (397 views)

Permalink

On Wed, 9 Mar 2022 at 19:48, Gert Doering via juniper-nsp
<juniper-nsp@puck.nether.net> wrote:

> We use different classes for UDP/123, UDP/53 (exclude well-known
> recursives), fragments, ... and are currently using between 20 and 100
> mbit/s for these classes. What is the right number for you depends
> on "how much can your customers stomach?" and "how much do you see
> under normal conditions?".

We do the same, but we classify protocols to two classes 'important'
and 'unimportant',. Unimportant being protocols we deem not to be used
in reality for anything but abuse, and important to be dual-use.
'unimportant' gets policed on port-level out-right and 'important'
gets 2coloured on port level, that exceeding traffic gets downgraded
below BE.

Answering 'what rate is right' is difficult without understanding
better how you are policing, where and what your access ports usually
look like. Do remember that JNPR policers are per NPU level by
default, unlike CSCO which are per interface level and per-NPU level
is not even a configurable option.

--
++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Mailing List Archive

Mailing List Archive

Attached Files: