[j-nsp] ERX High SRP Processor utilization--lots of ICMP--

Roy-Magne Mo rmo at sunnmore.net
Thu Jun 19 20:51:23 EDT 2003


Truman Boyes:
> You are probably seeing a "smurf" attack or other attack that relies on 
> broadcast traffic. You should have 'no ip directed-broadcast' on the 
> ERX. It may already exist in the default configuration, so do a 'show 
> config include-defaults | inc directed' to verify. Also I would have ip 
> local policies applied on each interface to restrict traffic with a 
> destination of the SRP ip interfaces.

No, the traffic was directed for a customer behind the router, no
traffic was directed at either broadcast adresses or the routers local
addresses. The router is running as a route reflector with full
bgp-table, so it should also have a good grasp of the world. 

The only process that seemed suspiciously high, was ip1 - but not
alarming. 

What exactly caused isn't clear to me right now, but the attack is still
going on with about 6k packets/second being dropped at our edges - so I
could always provoke it once more if wanted to. 

-- 
Roy-Magne Mo



More information about the juniper-nsp mailing list