[j-nsp] ERX High SRP Processor utilization--lots of ICMP--

Truman Boyes truman at research.suspicious.org
Wed Jun 18 21:59:16 EDT 2003


On Monday, June 16, 2003, at 02:10 PM, Roy-Magne Mo wrote:

> Jeronimo Diez de Sollano Velazco Aceves:
>> Hello
>> We have an ERX wit two STM-4 linemodules and 1 4STM1 linemodule. We 
>> are
>> running BGP full routing and OSPF as iBGP.
>> We haver the SRP processor of the ERX about 60 %.
>> We can see a lot of ICMP but when we do the icmptraffic debug then we 
>> can
>> see that the addresses that answer the ICMP requests are the Broadcast
>> address of the point to point links with other routers.
>
> Watch your traffic for (D)DoS SYN-attacks, just had a attack here
> driving the CPU up to loads of 70-80% sustained.
>
> -- 
> Roy-Magne Mo
>
You are probably seeing a "smurf" attack or other attack that relies on 
broadcast traffic. You should have 'no ip directed-broadcast' on the 
ERX. It may already exist in the default configuration, so do a 'show 
config include-defaults | inc directed' to verify. Also I would have ip 
local policies applied on each interface to restrict traffic with a 
destination of the SRP ip interfaces.

Truman




More information about the juniper-nsp mailing list