[j-nsp] Massive ICMP test. Could it generate problems?

Gary Tate gtate at juniper.net
Tue Dec 9 11:52:37 EST 2003


Scott

These are local PFE statistics and 'throttled icmps' shows rate 
limiting of ICMPs that would be handled locally. They are throttled to 
50pps

Gary

On Dec 9, 2003, at 8:39 AM, Gary Tate wrote:

> Scotty
>
> The document mentions 500 Kbps not Kpps for ICMP and TCP Syn attacks.
> I will check on the throttled ICMPs but I believe this is due to the 
> topic under discussion here
>
> Gary
>
> On Dec 9, 2003, at 7:50 AM, Scotty wrote:
>
>> hmm So,
>>
>> What are the Default filters?  If i remember I saw something on this
>> list saying 50pps on an m20 with SSB-E to the RE, yet this security 
>> doc
>> is limiting to 500kpps..  that doesnt make sense.  Wont the built-in
>> filter take over first?  Also when is this filter applied?  Only to
>> packets destined to the lo address or any icmp to any interface with a
>> real ip?
>>
>> I'm asking cause Im seeing alot of throttled icmps..
>>
>> scott at bdr1> show pfe statistics ip icmp
>> {snip}
>> ICMP Errors:
>> {snip}
>>            0 bad input interface
>>      6984689 throttled icmps
>>            0 runts
>>
>> What condition causes throttled icmps?
>>
>> -Scotty
>>
>> On Tue, 2003-12-09 at 10:28, Gary Tate wrote:
>>> Traffic sourced from the RE (Routing Engine) is sent via the control
>>> plain on an internal FastEthernet connection to the PFE (Packet
>>> Forwarding Engine - Internet Processor) and then forwarded via the
>>> forwarding plane.
>>>
>>> Running ping tests from the the RE (Routing Engine) will not disturb
>>> the other control traffic as this is prioritized and limited.  
>>> Routing
>>> control traffic etc takes precedence over ICPM ping traffic sourced
>>> from the RE.
>>>
>>> There are queues and limiting of traffic types between the RE  and 
>>> the
>>> PFE in both directions to protect the RE from being overrun by 
>>> traffic
>>> in the event of DOS attacks etc.
>>>
>>> Additional filters and policers can be added between the RE and the 
>>> PFE
>>> to further protect the system.
>>>
>>> There is a publicly available document about security which has a
>>> section detailing "Applying Firewall Filers to the Routing Engine" as
>>> well as other useful security advise at the following location:
>>>
>>> http://www.juniper.net/solutions/literature/app_note/350013.pdf
>>>
>>> Additional information can be obtained through the Juniper JTAC.
>>> Thanks
>>> Gary
>>>
>>> On Dec 9, 2003, at 5:56 AM, mark at glassbil.net wrote:
>>>
>>>> Hi,
>>>>
>>>> Still rather new to Juniper and only have a basic knowledge
>>>> over how it works. But i have heard that when im doing massive
>>>> ping test from a Juniper i could disturb "live" traffic. I can´t
>>>> really find a simple answer to what or how this is.
>>>>
>>>> Question:
>>>> Could a massive ping test from a Juniper (M160 in this case) cause
>>>> disturbance in the orignal traffic flow / processes in a M160?
>>>>
>>>> Say you have 4 sessions and running 4 x rapid ping with 5000 bytes.
>>>> Could this overload the RE? Or the bus?
>>>>
>>>> Thanx for any replys.
>>>>
>>>> //Mark
>>>>
>>>> _______________________________________________
>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>> http://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>
>>>
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> http://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>




More information about the juniper-nsp mailing list