[j-nsp] ERX High SRP Processor utilization--lots of ICMP--
truman at research.suspicious.org
Wed Jun 18 21:59:16 EDT 2003
On Monday, June 16, 2003, at 02:10 PM, Roy-Magne Mo wrote:
> Jeronimo Diez de Sollano Velazco Aceves:
>> We have an ERX wit two STM-4 linemodules and 1 4STM1 linemodule. We
>> running BGP full routing and OSPF as iBGP.
>> We haver the SRP processor of the ERX about 60 %.
>> We can see a lot of ICMP but when we do the icmptraffic debug then we
>> see that the addresses that answer the ICMP requests are the Broadcast
>> address of the point to point links with other routers.
> Watch your traffic for (D)DoS SYN-attacks, just had a attack here
> driving the CPU up to loads of 70-80% sustained.
> Roy-Magne Mo
You are probably seeing a "smurf" attack or other attack that relies on
broadcast traffic. You should have 'no ip directed-broadcast' on the
ERX. It may already exist in the default configuration, so do a 'show
config include-defaults | inc directed' to verify. Also I would have ip
local policies applied on each interface to restrict traffic with a
destination of the SRP ip interfaces.
More information about the juniper-nsp