Cloud Circle

We are honored to welcome you here with Juniper’s cloud experts and distinguished engineers to this virtual, private community, called ‘Elevate Cloud Circle’. This is a great opportunity to discuss product and technology innovations with other industry luminaries and help shape industry standards, trends, and direction. We are excited to host engaging discussions and stimulate collaboration directly with lead engineers who drive technology evolution to and through the cloud. We hope to learn more about your technology needs and seek your opinions and ideas for defining the future of this industry together.

Please complete your profile and introduce yourself in the discussion board.  To review rules of engagement, please click here.

Attendees from the kick-off call on 9/15:

Feel free to reach out to elevate-cloud-circle@juniper.net with any questions and suggestions. Again, welcome to the Cloud Circle! Click on “Start a Topic” to reach out and start a conversation today!

Hi, Kireeti here.  Welcome, all!  I'm happy to be a member of this Circle, to stimulate discussion, answer questions and up-level the discussion to get at the heart of issues (to the best of my ability!)

Started life as a coder (still tinker), helped with ASIC algorithms, worked my way into routing protocols, now focusing on automation solutions and hope to ultimately usher in autonomous networks.  But as with all things: crawl, walk, run, limp, fly!

Now, let it rip!

Hi everyone,

I'm Albert Lew, and I've been at Juniper for about 7 years working in security first as field architect specialist and for the past 4 years as a product manager. Our team currently heads up our infrastructure security activities, including mid range SRX, high end SRX, volumetric DDoS solutions, security infrastructure software (reliability, IPsec VPN termination and clients and TLS / SSL) and service provider security solutions.

I'm really interested in the conversations we will engage in regarding the best ways to secure the cloud now and in the future. This is a very exciting time in security both in terms of how we will deliver security as well as the many and creative approaches that are being invented to detect and mitigate threats.

When not on Zoom or Teams calls for Juniper, I can be found behind the viewfinder shooting photos, strapped to my snowboard bindings zooming through trees in the winter, or riding single speed, downhill and cross country mountain bikes.

Albert

Hi all!

I'm Edwin Verwoerd and I've been working in the Service Provider world for more than 15 years. My "first juniper" was the M40. Nowadays I'm working at i3D.net, a Ubisoft Company as VP of Engineer and Teamlead Network Operations, which is based in The Netherlands and in Los Angeles. We are working with Juniper MX, QFX, EX, SRX and Mist equipment all over the world. Our backbone spans the whole globe, going completely around. We manage the network and hardware for game publishers, serving the gaming customers of the publishers. We are also the main provider for Discord.

Gaming is focused on low latency, so this is our main goal with our network. With the attacks we are receiving with the special traffic that games produce, we also build our own Anti-DDoS system. Furthermore we have thousands of servers all over the world, so we focus heavily on automation.

This was my introduction. I'm curious what the others do in this group!

Hi Edwin,

M40 -- oooh!  Is it still in production? (it's been so long past EOL/EOS/..., so it's very unlikely).  If not, do you know where it is?

Great to hear how you're using our boxes.  By any chance, are you using flow spec to deal with DDoS?  What are your automation tools when it comes to the juniper boxes?

Cheers!

K

No, it isn't in production anymore 🙂 It had a nice 4x100mbit PIC. Later on we replaced it with M5 and M7i. Later on I switched companies. We currently are using MX204's, MX10003's and MX10008's in our network.

We use bgp flowspec for our anti-ddos system, although we are still testing with the amount of flowspec-rules we can enter.

Eventually we are offloading that to an internal built ddos-scrubbing-system we have.

The tooling we use is internally built. We do have some small issues with the MX10K's when we remove and add flowspec's at high speed.

Other automation tools are all custom built on our side. This is for setting ports on our top-of-rack switches, but also getting detailed information from our routers, together with realtime telemetry for example.

Cheers, Edwin

Edwin,

For the past year or so, we have been helping our customers address their DDoS challenges with a very unique offering that combines the DDoS detection of Corero Network Security with the hardware acceleration and in-line scrubbing of the Juniper ASICs in our line cards on our routers. One advantage of this approach are that it can detect volumetric attacks far more quickly - in seconds versus minutes - than the traditional flowspec DDoS solutions. Another benefit for you as a gaming company is that since the mitigation and scrubbing happens inline in the router, you can preserve the low latency and high performance of your network. 

Let me know if you're interested, and I can connect you with the right folks here at Juniper.

https://www.juniper.net/us/en/dm/mx-security/ddos/

Albert

Hi Albert,

Ah, a sales pitch.. As I wrote down, we have built our own anti-DDoS-system. Secondly, we filter all of the common volumetric traffic. Thirdly, we did talk with Corero in the past, but with the amount of traffic we do, it didn't work out.

But thanks for the info!

Regards, Edwin

Edwin,

Thanks for the feedback. It was totally clear that you have your own DDoS solution, but I am interested in understanding and hearing from customers such as yourself who have a different approach to stopping DDoS attacks so that we can improve our own product offerings.

If you don't mind, can you explain what you mean by a few of your comments? First, can you explain what you meant by the fact that you filter all common volumetric traffic? Does this mean that you filter out the vast majority of your traffic that doesn't present a threat to your organization? Or that you have filters that stop common high volume DDoS attacks like recursive NTP and DNS attacks?

Secondly, we are looking to improve our joint offering with Corero. It is especially insightful when we can understand why the solution isn't suited for an organization. You mentioned that for the amount of your traffic, the Corero solution didn't work out. We are getting some of this feedback as well; the Corero + Juniper solution originally started at 500Gbps of DDoS protection, and we have had extensive feedback from our customers that this was too much. We now have a 100Gbps DDoS offering, and we are still getting feedback that this is too much, but unfortunately, that is the smallest sized DDoS protection that we can offer.

Thanks in advance for your insights!

Albert