SlideShare a Scribd company logo

Flowspec @ Bay Area Juniper User Group (BAJUG)

Juniper Networks
Juniper Networks

This presentation provides an overview of Flowspec with sample rule configurations and graphs visualizing potential attacks.

Technology
1 of 12
Download to read offline
Flowspec @ Bay Area Juniper User Group (BAJUG) October 16, 2012 Terry Rodery, Network Engineer terry@cloudflare.com Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
Background • RFC 5575 (2009) • Piggybacks on top of existing BGP • Supported by Juniper (and Alcatel too apparently?) • Available in JunOS since 7.X Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
Operational • Configure rules on route server (config so easy a caveman could do it). • Commit config. • Rules are pushed via BGP to routers. I typically see the rules appear on my edge routers in a matter of seconds. • Flowspec counters are available for viewing from CLI using “show firewall”. Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
Drawbacks • Flowspec counters ARE NOT available via SNMP! Surely someone can fix this  • You’ll need to write the necessary poller, database, graphing, etc. to do this. • Not able to use prefix-lists to define source/destination addresses. Must create multiple rules for multiple prefixes. • Flowspec is only supported on M,MX,T-Series devices and is not available on EX and SRX. Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
Sample “rule” configs Discards all traffic to UDP port 80. route DISCARD-80-UDP { match { protocol udp; destination-port 80; } then discard; } Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
Sample “rule” configs Rate-limit TCP SYN to 5Mbps. This will be the easiest rate-limiting you’ve ever done on JunOS. No more manual policer configuration! route 108.162.203.11-RL { match { destination 108.162.203.11/32; protocol tcp; tcp-flags 2; } then rate-limit 5m; } Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
Sample “rule” configs route 141.101.124.242-DISCARD { match destination 141.101.124.242/32; then discard; } We no longer “nullroute” using BGP triggered blackhole to transit providers so we don’t lose visibility into the attack. Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
Cool Stuffz Time for the cool stuff! (Graphs) Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
Short lived SYN flood Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
Big attack Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
Decaying long lived attack Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
1Gbps attack Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com

Recommended

BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
BGP persistence
BGP persistenceBGP persistence
BGP persistenceBertrand Duvivier
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed RawiManaging Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed RawiMyNOG
 

Recommended

BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
BGP persistence
BGP persistenceBGP persistence
BGP persistenceBertrand Duvivier
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed RawiManaging Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed RawiMyNOG
 
RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationMyNOG
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPROIDEA
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesFebrian ‎
 
Interior Routing Protocols
Interior Routing ProtocolsInterior Routing Protocols
Interior Routing ProtocolsKHNOG
 
BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR Bertrand Duvivier
 
Using BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet ConnectionsUsing BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet ConnectionsRowell Dionicio
 
BIRD Routing Daemon
BIRD Routing DaemonBIRD Routing Daemon
BIRD Routing DaemonAPNIC
 
pps Matters
pps Matterspps Matters
pps MattersBangladesh Network Operators Group
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 
SEGMENT Routing
SEGMENT RoutingSEGMENT Routing
SEGMENT RoutingBangladesh Network Operators Group
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN IntroductionBangladesh Network Operators Group
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachBangladesh Network Operators Group
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Cisco Canada
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaBangladesh Network Operators Group
 
How to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersHow to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersSolarWinds
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSPavel Odintsov
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationAndy Davidson
 
Bgp (1)
Bgp (1)Bgp (1)
Bgp (1)Vamsidhar Naidu
 
2015-ShowNet -DDoS/IX/BGPFlowspec/External
2015-ShowNet -DDoS/IX/BGPFlowspec/External2015-ShowNet -DDoS/IX/BGPFlowspec/External
2015-ShowNet -DDoS/IX/BGPFlowspec/ExternalInterop Tokyo ShowNet NOC Team
 
Bgpcep odl summit 2015
Bgpcep odl summit 2015Bgpcep odl summit 2015
Bgpcep odl summit 2015Giles Heron
 

More Related Content

What's hot

RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationMyNOG
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPROIDEA
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesFebrian ‎
 
Interior Routing Protocols
Interior Routing ProtocolsInterior Routing Protocols
Interior Routing ProtocolsKHNOG
 
BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR Bertrand Duvivier
 
Using BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet ConnectionsUsing BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet ConnectionsRowell Dionicio
 
BIRD Routing Daemon
BIRD Routing DaemonBIRD Routing Daemon
BIRD Routing DaemonAPNIC
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Cisco Canada
 
How to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersHow to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersSolarWinds
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSPavel Odintsov
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationAndy Davidson
 

What's hot (20)

RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s Implementation
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for Operators
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & James
 
Interior Routing Protocols
Interior Routing ProtocolsInterior Routing Protocols
Interior Routing Protocols
 
BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR
 
Using BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet ConnectionsUsing BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet Connections
 
BIRD Routing Daemon
BIRD Routing DaemonBIRD Routing Daemon
BIRD Routing Daemon
 
pps Matters
pps Matterspps Matters
pps Matters
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
 
SEGMENT Routing
SEGMENT RoutingSEGMENT Routing
SEGMENT Routing
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN Introduction
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
 
How to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersHow to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco Routers
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing Optimisation
 
Bgp (1)
Bgp (1)Bgp (1)
Bgp (1)
 

Viewers also liked

Bgpcep odl summit 2015
Bgpcep odl summit 2015Bgpcep odl summit 2015
Bgpcep odl summit 2015Giles Heron
 
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...Shuichi Ohkubo
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simplePavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
Segment Routing: A Tutorial
Segment Routing: A TutorialSegment Routing: A Tutorial
Segment Routing: A TutorialAPNIC
 
LISP and NSH in Open vSwitch
LISP and NSH in Open vSwitchLISP and NSH in Open vSwitch
LISP and NSH in Open vSwitchmestery
 

Viewers also liked (8)

2015-ShowNet -DDoS/IX/BGPFlowspec/External
2015-ShowNet -DDoS/IX/BGPFlowspec/External2015-ShowNet -DDoS/IX/BGPFlowspec/External
2015-ShowNet -DDoS/IX/BGPFlowspec/External
 
Bgpcep odl summit 2015
Bgpcep odl summit 2015Bgpcep odl summit 2015
Bgpcep odl summit 2015
 
BGP Monitoring Protocol
BGP Monitoring ProtocolBGP Monitoring Protocol
BGP Monitoring Protocol
 
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
Segment Routing: A Tutorial
Segment Routing: A TutorialSegment Routing: A Tutorial
Segment Routing: A Tutorial
 
LISP and NSH in Open vSwitch
LISP and NSH in Open vSwitchLISP and NSH in Open vSwitch
LISP and NSH in Open vSwitch
 

Similar to Flowspec @ Bay Area Juniper User Group (BAJUG)

3 Ways to Connect to the Oracle Cloud
3 Ways to Connect to the Oracle Cloud3 Ways to Connect to the Oracle Cloud
3 Ways to Connect to the Oracle CloudSimon Haslam
 
Osol Netadmin Solaris Administrator
Osol Netadmin Solaris AdministratorOsol Netadmin Solaris Administrator
Osol Netadmin Solaris AdministratorOpeyemi Olakitan
 
BigData Clusters Redefined
BigData Clusters RedefinedBigData Clusters Redefined
BigData Clusters RedefinedDataWorks Summit
 
NFD9 - Dinesh Dutt, Data Center Architectures
NFD9 - Dinesh Dutt, Data Center ArchitecturesNFD9 - Dinesh Dutt, Data Center Architectures
NFD9 - Dinesh Dutt, Data Center ArchitecturesCumulus Networks
 
SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspeChris Westin
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON
 
BGP evolution -from SDN perspective
BGP evolution -from SDN perspectiveBGP evolution -from SDN perspective
BGP evolution -from SDN perspectiveMiya Kohno
 
PLNOG 7: Klaudiusz Staniek - MPLS a QoS - praktycznie
PLNOG 7: Klaudiusz Staniek - MPLS a QoS - praktyczniePLNOG 7: Klaudiusz Staniek - MPLS a QoS - praktycznie
PLNOG 7: Klaudiusz Staniek - MPLS a QoS - praktyczniePROIDEA
 
July NYC Open Networking Meeup
July NYC Open Networking MeeupJuly NYC Open Networking Meeup
July NYC Open Networking MeeupCumulus Networks
 
Avb pov 2017 v2
Avb pov 2017 v2Avb pov 2017 v2
Avb pov 2017 v2Jeff Green
 
2015_01 - Networking Session - SPHMMC ICT workshop
2015_01 - Networking Session - SPHMMC ICT workshop2015_01 - Networking Session - SPHMMC ICT workshop
2015_01 - Networking Session - SPHMMC ICT workshopKathleen Ludewig Omollo
 
501 ch 3 network technologies tools
501 ch 3 network technologies tools501 ch 3 network technologies tools
501 ch 3 network technologies toolsgocybersec
 
Jawdat NGN IDNOG v1.0 public
Jawdat NGN IDNOG v1.0 publicJawdat NGN IDNOG v1.0 public
Jawdat NGN IDNOG v1.0 publicHimawan Nugroho
 
JAWDAT NGN IDNOG v1.0 (public)[COPY]
JAWDAT NGN IDNOG v1.0 (public)[COPY]JAWDAT NGN IDNOG v1.0 (public)[COPY]
JAWDAT NGN IDNOG v1.0 (public)[COPY]Mahadiputra S
 
03 (IDNOG01) NGN Next Generation Networks by Himawan Nugroho
03 (IDNOG01) NGN Next Generation Networks by Himawan Nugroho03 (IDNOG01) NGN Next Generation Networks by Himawan Nugroho
03 (IDNOG01) NGN Next Generation Networks by Himawan NugrohoIndonesia Network Operators Group
 
Collaborate nfs kyle_final
Collaborate nfs kyle_finalCollaborate nfs kyle_final
Collaborate nfs kyle_finalKyle Hailey
 

Similar to Flowspec @ Bay Area Juniper User Group (BAJUG) (20)

3 Ways to Connect to the Oracle Cloud
3 Ways to Connect to the Oracle Cloud3 Ways to Connect to the Oracle Cloud
3 Ways to Connect to the Oracle Cloud
 
Osol Netadmin Solaris Administrator
Osol Netadmin Solaris AdministratorOsol Netadmin Solaris Administrator
Osol Netadmin Solaris Administrator
 
BigData Clusters Redefined
BigData Clusters RedefinedBigData Clusters Redefined
BigData Clusters Redefined
 
NFD9 - Dinesh Dutt, Data Center Architectures
NFD9 - Dinesh Dutt, Data Center ArchitecturesNFD9 - Dinesh Dutt, Data Center Architectures
NFD9 - Dinesh Dutt, Data Center Architectures
 
ITSPA May 2013 - WebRTC, TURN, and WebSocket
ITSPA May 2013 - WebRTC, TURN, and WebSocketITSPA May 2013 - WebRTC, TURN, and WebSocket
ITSPA May 2013 - WebRTC, TURN, and WebSocket
 
SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspe
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
NFS and Oracle
NFS and OracleNFS and Oracle
NFS and Oracle
 
BGP evolution -from SDN perspective
BGP evolution -from SDN perspectiveBGP evolution -from SDN perspective
BGP evolution -from SDN perspective
 
PLNOG 7: Klaudiusz Staniek - MPLS a QoS - praktycznie
PLNOG 7: Klaudiusz Staniek - MPLS a QoS - praktyczniePLNOG 7: Klaudiusz Staniek - MPLS a QoS - praktycznie
PLNOG 7: Klaudiusz Staniek - MPLS a QoS - praktycznie
 
July NYC Open Networking Meeup
July NYC Open Networking MeeupJuly NYC Open Networking Meeup
July NYC Open Networking Meeup
 
Avb pov 2017 v2
Avb pov 2017 v2Avb pov 2017 v2
Avb pov 2017 v2
 
2015_01 - Networking Session - SPHMMC ICT workshop
2015_01 - Networking Session - SPHMMC ICT workshop2015_01 - Networking Session - SPHMMC ICT workshop
2015_01 - Networking Session - SPHMMC ICT workshop
 
501 ch 3 network technologies tools
501 ch 3 network technologies tools501 ch 3 network technologies tools
501 ch 3 network technologies tools
 
SPDY - or maybe HTTP2.0
SPDY - or maybe HTTP2.0SPDY - or maybe HTTP2.0
SPDY - or maybe HTTP2.0
 
Jawdat NGN IDNOG v1.0 public
Jawdat NGN IDNOG v1.0 publicJawdat NGN IDNOG v1.0 public
Jawdat NGN IDNOG v1.0 public
 
JAWDAT NGN IDNOG v1.0 (public)[COPY]
JAWDAT NGN IDNOG v1.0 (public)[COPY]JAWDAT NGN IDNOG v1.0 (public)[COPY]
JAWDAT NGN IDNOG v1.0 (public)[COPY]
 
03 (IDNOG01) NGN Next Generation Networks by Himawan Nugroho
03 (IDNOG01) NGN Next Generation Networks by Himawan Nugroho03 (IDNOG01) NGN Next Generation Networks by Himawan Nugroho
03 (IDNOG01) NGN Next Generation Networks by Himawan Nugroho
 
Collaborate nfs kyle_final
Collaborate nfs kyle_finalCollaborate nfs kyle_final
Collaborate nfs kyle_final
 

More from Juniper Networks

Why Juniper, Driven by Mist AI, Leads the Market
Why Juniper, Driven by Mist AI, Leads the Market Why Juniper, Driven by Mist AI, Leads the Market
Why Juniper, Driven by Mist AI, Leads the MarketJuniper Networks
 
Experience the AI-Driven Enterprise
Experience the AI-Driven EnterpriseExperience the AI-Driven Enterprise
Experience the AI-Driven EnterpriseJuniper Networks
 
How AI Simplifies Troubleshooting Your WAN
How AI Simplifies Troubleshooting Your WANHow AI Simplifies Troubleshooting Your WAN
How AI Simplifies Troubleshooting Your WANJuniper Networks
 
Real AI. Real Results. Mist AI Customer Testimonials.
Real AI. Real Results. Mist AI Customer Testimonials.Real AI. Real Results. Mist AI Customer Testimonials.
Real AI. Real Results. Mist AI Customer Testimonials.Juniper Networks
 
Are you able to deliver reliable experiences for connected devices
Are you able to deliver reliable experiences for connected devicesAre you able to deliver reliable experiences for connected devices
Are you able to deliver reliable experiences for connected devicesJuniper Networks
 
Stop Doing These 5 Things with Your SD-WAN
Stop Doing These 5 Things with Your SD-WANStop Doing These 5 Things with Your SD-WAN
Stop Doing These 5 Things with Your SD-WANJuniper Networks
 
Securing IoT at Scale Requires a Holistic Approach
Securing IoT at Scale Requires a Holistic ApproachSecuring IoT at Scale Requires a Holistic Approach
Securing IoT at Scale Requires a Holistic ApproachJuniper Networks
 
Smart Solutions for Smart Communities: What's Next & Who's Responsible?
Smart Solutions for Smart Communities: What's Next & Who's Responsible?Smart Solutions for Smart Communities: What's Next & Who's Responsible?
Smart Solutions for Smart Communities: What's Next & Who's Responsible?Juniper Networks
 
Are You Ready for Digital Cohesion?
Are You Ready for Digital Cohesion?Are You Ready for Digital Cohesion?
Are You Ready for Digital Cohesion?Juniper Networks
 
Juniper vSRX - Fast Performance, Low TCO
Juniper vSRX - Fast Performance, Low TCOJuniper vSRX - Fast Performance, Low TCO
Juniper vSRX - Fast Performance, Low TCOJuniper Networks
 
SDN and NFV: Transforming the Service Provider Organization
SDN and NFV: Transforming the Service Provider OrganizationSDN and NFV: Transforming the Service Provider Organization
SDN and NFV: Transforming the Service Provider OrganizationJuniper Networks
 
Navigating the Uncertain World Facing Service Providers - Juniper's Perspective
Navigating the Uncertain World Facing Service Providers - Juniper's PerspectiveNavigating the Uncertain World Facing Service Providers - Juniper's Perspective
Navigating the Uncertain World Facing Service Providers - Juniper's PerspectiveJuniper Networks
 
vSRX Buyer’s Guide infographic - Juniper Networks
vSRX Buyer’s Guide infographic - Juniper Networks vSRX Buyer’s Guide infographic - Juniper Networks
vSRX Buyer’s Guide infographic - Juniper Networks Juniper Networks
 
NFV Solutions for the Telco Cloud
NFV Solutions for the Telco Cloud NFV Solutions for the Telco Cloud
NFV Solutions for the Telco Cloud Juniper Networks
 
Juniper SRX5800 Infographic
Juniper SRX5800 InfographicJuniper SRX5800 Infographic
Juniper SRX5800 InfographicJuniper Networks
 
Infographic: 90% MetaFabric Customer Satisfaction
Infographic: 90% MetaFabric Customer SatisfactionInfographic: 90% MetaFabric Customer Satisfaction
Infographic: 90% MetaFabric Customer SatisfactionJuniper Networks
 
Infographic: Whack Hackers Lightning Fast
Infographic: Whack Hackers Lightning FastInfographic: Whack Hackers Lightning Fast
Infographic: Whack Hackers Lightning FastJuniper Networks
 
High performance data center computing using manageable distributed computing
High performance data center computing using manageable distributed computingHigh performance data center computing using manageable distributed computing
High performance data center computing using manageable distributed computingJuniper Networks
 

More from Juniper Networks (20)

Why Juniper, Driven by Mist AI, Leads the Market
Why Juniper, Driven by Mist AI, Leads the Market Why Juniper, Driven by Mist AI, Leads the Market
Why Juniper, Driven by Mist AI, Leads the Market
 
Experience the AI-Driven Enterprise
Experience the AI-Driven EnterpriseExperience the AI-Driven Enterprise
Experience the AI-Driven Enterprise
 
How AI Simplifies Troubleshooting Your WAN
How AI Simplifies Troubleshooting Your WANHow AI Simplifies Troubleshooting Your WAN
How AI Simplifies Troubleshooting Your WAN
 
Real AI. Real Results. Mist AI Customer Testimonials.
Real AI. Real Results. Mist AI Customer Testimonials.Real AI. Real Results. Mist AI Customer Testimonials.
Real AI. Real Results. Mist AI Customer Testimonials.
 
SD-WAN, Meet MARVIS.
SD-WAN, Meet MARVIS.SD-WAN, Meet MARVIS.
SD-WAN, Meet MARVIS.
 
Are you able to deliver reliable experiences for connected devices
Are you able to deliver reliable experiences for connected devicesAre you able to deliver reliable experiences for connected devices
Are you able to deliver reliable experiences for connected devices
 
Stop Doing These 5 Things with Your SD-WAN
Stop Doing These 5 Things with Your SD-WANStop Doing These 5 Things with Your SD-WAN
Stop Doing These 5 Things with Your SD-WAN
 
Securing IoT at Scale Requires a Holistic Approach
Securing IoT at Scale Requires a Holistic ApproachSecuring IoT at Scale Requires a Holistic Approach
Securing IoT at Scale Requires a Holistic Approach
 
Smart Solutions for Smart Communities: What's Next & Who's Responsible?
Smart Solutions for Smart Communities: What's Next & Who's Responsible?Smart Solutions for Smart Communities: What's Next & Who's Responsible?
Smart Solutions for Smart Communities: What's Next & Who's Responsible?
 
What's Your IT Alter Ego?
What's Your IT Alter Ego?What's Your IT Alter Ego?
What's Your IT Alter Ego?
 
Are You Ready for Digital Cohesion?
Are You Ready for Digital Cohesion?Are You Ready for Digital Cohesion?
Are You Ready for Digital Cohesion?
 
Juniper vSRX - Fast Performance, Low TCO
Juniper vSRX - Fast Performance, Low TCOJuniper vSRX - Fast Performance, Low TCO
Juniper vSRX - Fast Performance, Low TCO
 
SDN and NFV: Transforming the Service Provider Organization
SDN and NFV: Transforming the Service Provider OrganizationSDN and NFV: Transforming the Service Provider Organization
SDN and NFV: Transforming the Service Provider Organization
 
Navigating the Uncertain World Facing Service Providers - Juniper's Perspective
Navigating the Uncertain World Facing Service Providers - Juniper's PerspectiveNavigating the Uncertain World Facing Service Providers - Juniper's Perspective
Navigating the Uncertain World Facing Service Providers - Juniper's Perspective
 
vSRX Buyer’s Guide infographic - Juniper Networks
vSRX Buyer’s Guide infographic - Juniper Networks vSRX Buyer’s Guide infographic - Juniper Networks
vSRX Buyer’s Guide infographic - Juniper Networks
 
NFV Solutions for the Telco Cloud
NFV Solutions for the Telco Cloud NFV Solutions for the Telco Cloud
NFV Solutions for the Telco Cloud
 
Juniper SRX5800 Infographic
Juniper SRX5800 InfographicJuniper SRX5800 Infographic
Juniper SRX5800 Infographic
 
Infographic: 90% MetaFabric Customer Satisfaction
Infographic: 90% MetaFabric Customer SatisfactionInfographic: 90% MetaFabric Customer Satisfaction
Infographic: 90% MetaFabric Customer Satisfaction
 
Infographic: Whack Hackers Lightning Fast
Infographic: Whack Hackers Lightning FastInfographic: Whack Hackers Lightning Fast
Infographic: Whack Hackers Lightning Fast
 
High performance data center computing using manageable distributed computing
High performance data center computing using manageable distributed computingHigh performance data center computing using manageable distributed computing
High performance data center computing using manageable distributed computing
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

Flowspec @ Bay Area Juniper User Group (BAJUG)

  • 1. Flowspec @ Bay Area Juniper User Group (BAJUG) October 16, 2012 Terry Rodery, Network Engineer terry@cloudflare.com Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
  • 2. Background • RFC 5575 (2009) • Piggybacks on top of existing BGP • Supported by Juniper (and Alcatel too apparently?) • Available in JunOS since 7.X Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
  • 3. Operational • Configure rules on route server (config so easy a caveman could do it). • Commit config. • Rules are pushed via BGP to routers. I typically see the rules appear on my edge routers in a matter of seconds. • Flowspec counters are available for viewing from CLI using “show firewall”. Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
  • 4. Drawbacks • Flowspec counters ARE NOT available via SNMP! Surely someone can fix this  • You’ll need to write the necessary poller, database, graphing, etc. to do this. • Not able to use prefix-lists to define source/destination addresses. Must create multiple rules for multiple prefixes. • Flowspec is only supported on M,MX,T-Series devices and is not available on EX and SRX. Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
  • 5. Sample “rule” configs Discards all traffic to UDP port 80. route DISCARD-80-UDP { match { protocol udp; destination-port 80; } then discard; } Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
  • 6. Sample “rule” configs Rate-limit TCP SYN to 5Mbps. This will be the easiest rate-limiting you’ve ever done on JunOS. No more manual policer configuration! route 108.162.203.11-RL { match { destination 108.162.203.11/32; protocol tcp; tcp-flags 2; } then rate-limit 5m; } Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
  • 7. Sample “rule” configs route 141.101.124.242-DISCARD { match destination 141.101.124.242/32; then discard; } We no longer “nullroute” using BGP triggered blackhole to transit providers so we don’t lose visibility into the attack. Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
  • 8. Cool Stuffz Time for the cool stuff! (Graphs) Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
  • 9. Short lived SYN flood Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
  • 10. Big attack Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
  • 11. Decaying long lived attack Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com
  • 12. 1Gbps attack Flowspec @ Bay Area Juniper User Group (BAJUG) Terry Rodery – terry@cloudflare.com