[j-nsp] ERX High SRP Processor utilization--lots of ICMP--
Roy-Magne Mo
rmo at sunnmore.net
Thu Jun 19 20:51:23 EDT 2003
Truman Boyes:
> You are probably seeing a "smurf" attack or other attack that relies on
> broadcast traffic. You should have 'no ip directed-broadcast' on the
> ERX. It may already exist in the default configuration, so do a 'show
> config include-defaults | inc directed' to verify. Also I would have ip
> local policies applied on each interface to restrict traffic with a
> destination of the SRP ip interfaces.
No, the traffic was directed for a customer behind the router, no
traffic was directed at either broadcast adresses or the routers local
addresses. The router is running as a route reflector with full
bgp-table, so it should also have a good grasp of the world.
The only process that seemed suspiciously high, was ip1 - but not
alarming.
What exactly caused isn't clear to me right now, but the attack is still
going on with about 6k packets/second being dropped at our edges - so I
could always provoke it once more if wanted to.
--
Roy-Magne Mo
More information about the juniper-nsp
mailing list