[c-nsp] BGP session going down during DDOS

redscorpion69 redscorpion69 at gmail.com
Mon Mar 10 06:19:44 EDT 2014 

The congested 'meeting' place for DDOS traffic and BGP traffic was AS9k,
upstream of PE router. But QoS is properly implemented there, and there are
no drops for critical traffic.
ASR9010, 4.2.3.




On Mon, Mar 10, 2014 at 11:09 AM, redscorpion69 <redscorpion69 at gmail.com>wrote:

> @Mick
> All our interfaces are bellow total link utilization; I hope I understood
> your question.
>
> @Dobbins
>
> We have all that in place. We have something similar for NTP traffic, and
> others.  What I had in mind was limiting total amount of traffic on edge
> routers that can go to specific region in our network. Basically grouping
> by IP addresses and limiting total amount of traffic, based on our capacity.
>
>
> Bytheway, can you suggest other traffic filters based on specific traffic,
> such as DNS, NTP, etc? Maybe ponit to a good documentation for best
> practices.
>
> @Saku
>
> This is not directly connected subnet, there should be no glean packets.
> But like I said, CPU never spiked.
>
> Router is 7600, 15.2(4)S2, upstream links ES+T and ES+, downstream CFC
> based CEF720 48 port 1000mb SFP.
>
> Regards
>
>
>
> On Mon, Mar 10, 2014 at 9:44 AM, Saku Ytti <saku at ytti.fi> wrote:
>
>> Was the dos target connected address?
>>
>> Was it resolved (did it have ARP entry) or was it forced to glean?
>>
>> If it didn't have ARP entry, do you have mls rate-limit for glean?
>>
>>
>>
>> On 6 March 2014 20:07, redscorpion69 <redscorpion69 at gmail.com> wrote:
>>
>>> Today we had a couple of dozen Gbps traffic to one of our customer.
>>>
>>> At one point during attack, our PE router where the customer is attached
>>> had a BGP session to one of our RR go down, only to go up after half a
>>> minute.
>>>
>>> Our core has juniper/asr9k, our PE router in question is 7600.
>>>
>>> All our traffic is properly classified from RR to 7600 in both
>>> directions.
>>> The CPU stayed fairly low on PE, so if traffic is properly classified,
>>> how
>>> is it possible for router to drop BGP control plane?
>>>
>>> If input queues are an issue, shouldn't default SPD configuration take
>>> care
>>> of that on 7600?
>>>
>>> How to make sure this doesn't happen again?
>>>
>>> Regards
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
>>
>>
>> --
>>   ++ytti
>>
>
>

More information about the cisco-nsp mailing list