[c-nsp] BGP session going down during DDOS

redscorpion69 redscorpion69 at gmail.com
Mon Mar 10 06:09:14 EDT 2014


@Mick
All our interfaces are bellow total link utilization; I hope I understood
your question.

@Dobbins

We have all that in place. We have something similar for NTP traffic, and
others.  What I had in mind was limiting total amount of traffic on edge
routers that can go to specific region in our network. Basically grouping
by IP addresses and limiting total amount of traffic, based on our capacity.


Bytheway, can you suggest other traffic filters based on specific traffic,
such as DNS, NTP, etc? Maybe ponit to a good documentation for best
practices.

@Saku

This is not directly connected subnet, there should be no glean packets.
But like I said, CPU never spiked.

Router is 7600, 15.2(4)S2, upstream links ES+T and ES+, downstream CFC
based CEF720 48 port 1000mb SFP.

Regards



On Mon, Mar 10, 2014 at 9:44 AM, Saku Ytti <saku at ytti.fi> wrote:

> Was the dos target connected address?
>
> Was it resolved (did it have ARP entry) or was it forced to glean?
>
> If it didn't have ARP entry, do you have mls rate-limit for glean?
>
>
>
> On 6 March 2014 20:07, redscorpion69 <redscorpion69 at gmail.com> wrote:
>
>> Today we had a couple of dozen Gbps traffic to one of our customer.
>>
>> At one point during attack, our PE router where the customer is attached
>> had a BGP session to one of our RR go down, only to go up after half a
>> minute.
>>
>> Our core has juniper/asr9k, our PE router in question is 7600.
>>
>> All our traffic is properly classified from RR to 7600 in both directions.
>> The CPU stayed fairly low on PE, so if traffic is properly classified, how
>> is it possible for router to drop BGP control plane?
>>
>> If input queues are an issue, shouldn't default SPD configuration take
>> care
>> of that on 7600?
>>
>> How to make sure this doesn't happen again?
>>
>> Regards
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
>
> --
>   ++ytti
>


More information about the cisco-nsp mailing list