[j-nsp] DDOS to a 802.1ad trunk address

Chris Morrow morrowc at ops-netman.net
Fri Apr 2 14:25:10 EST 2004


On Fri, 2 Apr 2004, Daniel Puka wrote:

> > The DDOS was based on UDP packtets destinated to trunk port 80 with a rate
> > of  ~15000 packets/sec. We do not notice any big traffic increase in any
> > of our peers.
> >
> > During the attack we notice in both M20's that the MPLS and IS-IS down
> > messages in system log. On the JNPR 2 we notice also high CPU on the SSB
> > when the normal level is about 5 or 6%

This traffic wasn't dropped in your loopback filter already? Do you have a
loopback filter? Any traffic destined for interfaces on the router will be
sent to the RE for interpretation, regardless of running services on the
system. If you want to prevent this behaviour, add filter terms to the
loopback filter... simple, and it gets dropped on the inbound interface
instead of the RE, which has limited bandwidth from the interfaces toward
it.

> >
> > Do you have any ideia if this problem is a issue on the Junos or if I need
> > to put a filter in every router interface to block this kind of attack?
> >

see loopback filter.


More information about the juniper-nsp mailing list