[j-nsp] Massive ICMP test. Could it generate problems?

Gary Tate gtate at juniper.net
Tue Dec 9 11:39:51 EST 2003


Scotty

The document mentions 500 Kbps not Kpps for ICMP and TCP Syn attacks.
I will check on the throttled ICMPs but I believe this is due to the 
topic under discussion here

Gary

On Dec 9, 2003, at 7:50 AM, Scotty wrote:

> hmm So,
>
> What are the Default filters?  If i remember I saw something on this
> list saying 50pps on an m20 with SSB-E to the RE, yet this security doc
> is limiting to 500kpps..  that doesnt make sense.  Wont the built-in
> filter take over first?  Also when is this filter applied?  Only to
> packets destined to the lo address or any icmp to any interface with a
> real ip?
>
> I'm asking cause Im seeing alot of throttled icmps..
>
> scott at bdr1> show pfe statistics ip icmp
> {snip}
> ICMP Errors:
> {snip}
>            0 bad input interface
>      6984689 throttled icmps
>            0 runts
>
> What condition causes throttled icmps?
>
> -Scotty
>
> On Tue, 2003-12-09 at 10:28, Gary Tate wrote:
>> Traffic sourced from the RE (Routing Engine) is sent via the control
>> plain on an internal FastEthernet connection to the PFE (Packet
>> Forwarding Engine - Internet Processor) and then forwarded via the
>> forwarding plane.
>>
>> Running ping tests from the the RE (Routing Engine) will not disturb
>> the other control traffic as this is prioritized and limited.  Routing
>> control traffic etc takes precedence over ICPM ping traffic sourced
>> from the RE.
>>
>> There are queues and limiting of traffic types between the RE  and the
>> PFE in both directions to protect the RE from being overrun by traffic
>> in the event of DOS attacks etc.
>>
>> Additional filters and policers can be added between the RE and the 
>> PFE
>> to further protect the system.
>>
>> There is a publicly available document about security which has a
>> section detailing "Applying Firewall Filers to the Routing Engine" as
>> well as other useful security advise at the following location:
>>
>> http://www.juniper.net/solutions/literature/app_note/350013.pdf
>>
>> Additional information can be obtained through the Juniper JTAC.
>> Thanks
>> Gary
>>
>> On Dec 9, 2003, at 5:56 AM, mark at glassbil.net wrote:
>>
>>> Hi,
>>>
>>> Still rather new to Juniper and only have a basic knowledge
>>> over how it works. But i have heard that when im doing massive
>>> ping test from a Juniper i could disturb "live" traffic. I can´t
>>> really find a simple answer to what or how this is.
>>>
>>> Question:
>>> Could a massive ping test from a Juniper (M160 in this case) cause
>>> disturbance in the orignal traffic flow / processes in a M160?
>>>
>>> Say you have 4 sessions and running 4 x rapid ping with 5000 bytes.
>>> Could this overload the RE? Or the bus?
>>>
>>> Thanx for any replys.
>>>
>>> //Mark
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> http://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>




More information about the juniper-nsp mailing list