Junos OS

Expand all | Collapse all

DDoS Protoection for subscribers

Jump to Best Answer
  • 1.  DDoS Protoection for subscribers

    Posted 06-19-2018 02:23



    I am currently reviewing the following documentation with regards to protecting our network and Subscribers from DDoS attacks:




    What I would like to know is what the recommended rates would be on 10g links please?

  • 2.  RE: DDoS Protoection for subscribers

    Posted 06-19-2018 06:49

    To get to the answer I require, would the following sound plausible:


    1024 bytes in 1kb

    1024 kb in 1mb

    1024 mb in 1gb


    so, 1024 x 1024 x 1024 x 10 / 1500 (Ethernet packet)


    Gives me 7,158,278 - Does this sound right for a PPS throughput on a 10g link? Sounds a little high to me



  • 3.  RE: DDoS Protoection for subscribers
    Best Answer

    Posted 06-19-2018 09:26

    Ignore. It looks like it will be a test and see scenario. Thanks.

  • 4.  RE: DDoS Protoection for subscribers

    Posted 06-19-2018 11:24



    DDoS for subscribers depends on the type of access mode where B-RAS(as edge) is deployed into. If its open network (like airport/malls..etc), or if the access network is multiplexed from many sub-providers. the DDoS for subscriber is tuned to aggressive value.


    If your access side of network is well protected with border/edge firewalls and where B-RAS deployed for home/office/residence boardband subscribers), you should stick with default DDoS settings that pretty much does the job which ratelimits/polices high incoming flows when it hits default peak rate for given protocol (in DDoS). Also, on top DDoS,  from JUNOS 15.1 onwards, we have another lite weight protection function call ERA( Event Rate Analyzer) which turned ON by-default giving to enough protection against high incoming frames. More on what ERA is or does, check my post here: https://forums.juniper.net/t5/Junos/jdhcpd-era-discover-log-what-is-it-for/m-p/323735#M12783


    And ofcourse, if at any point, if operator suspect control packet drops or high inflow taking CPU resource due to possible DDoS, you can tune DDoS for given protocol based on avtive pps inflow.