[j-nsp] DDOS to a 802.1ad trunk address

Daniel Puka daniel.puka at gvt.com.br
Fri Apr 2 13:17:16 EST 2004 



> We have two junipers M20 connected trough a 802.1ad trunk (2x 1GE PICs)
> 
> JNPR 1 <==== 802.1ad TRK ====> JNPR 2
> 
> We have the IS-IS, MPLS, RSVP and BGP protocols configured over this
> trunk. The trk is configured with an /30 address and yesterday we started
> to receive an DDOS atack targeting the JNPR 2 side of the trunk.
> 
> The DDOS was based on UDP packtets destinated to trunk port 80 with a rate
> of  ~15000 packets/sec. We do not notice any big traffic increase in any
> of our peers.
> 
> During the attack we notice in both M20's that the MPLS and IS-IS down
> messages in system log. On the JNPR 2 we notice also high CPU on the SSB
> when the normal level is about 5 or 6%
> 
> The workarround was to block the UPD traffic targeting the JNPR 2
> interface. What is interesting in this case is that our JNPR is not
> answering port 80 UDP packets and also that this packets should be
> discarded by Juniper without cause any problem to the SSB.
> 
> Do you have any ideia if this problem is a issue on the Junos or if I need
> to put a filter in every router interface to block this kind of attack?
> 
> Regards,
> 
> Daniel
> 
> Manager at jnpr-dist-bsa-re0> show chassis ssb
> SSB status:
> Slot 0 information:
>   State                          Master
>   Temperature                 41 degrees C / 105 degrees F
>   CPU utilization             85 percent
>   Interrupt utilization        3 percent
>   Heap utilization            15 percent
>   Buffer utilization          56 percent
>   Total CPU DRAM             256 MB
>   Internet Processor II          Version 2, Foundry IBM, Part number 9
>   Start time:                    2004-02-06 14:36:23 BRST
>   Uptime:                       54 days, 8 hours, 16 minutes, 37 seconds
> Slot 1 information:
>   State                          Backup
> 
> show log messages on JNPR1
> 
> Mar 31 21:03:52 jnpr-bsa rpd[2468]: RPD_ISIS_ADJDOWN: IS-IS lost L2
> adjacency to jnpr-dist-bsa-re0 on ae0.0, reason: Aged Out
> Mar 31 21:03:52 jnpr-bsa rpd[2468]: RSVP neighbor JNPR2 down on interface
> ae0.0, triggered by IGP neighbor down event
> Mar 31 21:03:52 jnpr-bsa rpd[2468]: RPD_MPLS_LSP_DOWN: MPLS LSP
> TO_BSA_DIST down on primary()
> Mar 31 21:03:52 jnpr-bsa rpd[2468]: RPD_ISIS_ADJUP: IS-IS new L2 adjacency
> to jnpr-dist-bsa-re0 on ae0.0
> Mar 31 21:04:11 jnpr-bsa rpd[2468]: RSVP neighbor JNPR2 up on interface
> ae0.0
> Mar 31 21:04:36 jnpr-bsa rpd[2468]: RPD_MPLS_LSP_UP: MPLS LSP TO_BSA_DIST
> up on primary() Route  JNPR2
> 
> show firewall log(sample):
> 
> Name of protocol: UDP, Packet Length: 29, Source address:
> 64.191.53.175:47776, Destination address: JNPR2:80
> Name of protocol: UDP, Packet Length: 29, Source address:
> 64.191.53.175:47776, Destination address: JNPR2:80
> 
>

More information about the juniper-nsp mailing list