Automation

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about Apstra, Paragon, and all things network automation.

  • 1.  Inquiry Regarding L3/L4 DDoS Mitigation Capabilities of Juniper SRX Devices

    Posted 04-21-2025 10:24

    Dear Community,

    Greetings to all. We are a data center that utilizes Juniper routers and switches across our entire network infrastructure. To protect against potential L3/L4 DDoS threats originating from outside the country, we are currently using a secure uplink service through a GRE tunnel in partnership with Serverius. However, we are now considering the implementation of the Juniper SRX4600 device to mitigate potential attacks originating from within the country.

    We are seeking insights from professionals with in-depth experience in Juniper SRX devices who can help us assess whether this would be a suitable and effective decision.

    Currently, the initial entry point of our traffic is the Juniper MX204. On this device, we apply several policies to filter a significant portion of the traffic and manage UDP and TCP flows through different scenarios at the lower layers. However, we have begun to experience performance degradation when high-volume TCP attacks reach the lower layers of the infrastructure.

    For this reason, we are planning to continue filtering traffic downstream of the MX204 using the SRX4600, with the goal of efficiently and reliably mitigating harmful traffic. Domestic attack volumes typically do not exceed 5–10 Gbps. Based on the datasheet, the SRX4600 appears capable of handling such volumes without issue. However, we are interested in understanding whether it can deliver this level of performance-or something close to it-in real-world scenarios.

    In summary, is there anyone who can provide insight or a reasonable expectation of how a well-configured SRX4600 would perform in the event of a 40–100 Gbps TCP-based volumetric attack? We do not have any concerns related to Layer 7 traffic, and thus we intend to configure the SRX4600 exclusively for L3/L4 protection, with all other features disabled.

    Given its capacity of 650,000 sessions per second and 60 million concurrent sessions, can we rely on the SRX4600? Has anyone observed similar real-world performance figures?

    Best regards,



    ------------------------------
    Emre KOCAOGLU
    ------------------------------


  • 2.  RE: Inquiry Regarding L3/L4 DDoS Mitigation Capabilities of Juniper SRX Devices

    Posted 26 days ago

    Hi, look here, you can try to limit source addresses based on 1 or 2 service providers

    https://www.linkedin.com/pulse/how-improve-remote-access-security-using-python-tagir-temirgaliyev-9xdwf/?trackingId=IQ8xhmVWVMpuopuOzo%2B9EQ%3D%3D



    ------------------------------
    Tag Te
    ------------------------------

    Original Message