[j-nsp] DDOS to a 802.1ad trunk address

Jeff Wheeler jeff at reflected.net
Fri Apr 2 14:27:07 EST 2004


On Fri, 2004-04-02 at 13:17, Daniel Puka wrote:
> > During the attack we notice in both M20's that the MPLS and IS-IS down
> > messages in system log. On the JNPR 2 we notice also high CPU on the SSB
> > when the normal level is about 5 or 6%

Do you log these packets all the time, or was the SSB CPU utilization
abnormally high, and you enabled some packet logging terms to determine
the cause?  The 'log' and 'reject' actions consume SSB CPU; 15,000 pps
is more than it can process in my experience.  You can rate-limit the
traffic reaching your log and reject actions using policers, which gives
you both useful information in your logs; while protecting your SSB CPU.

I do not know why your ISIS adjacency failed.  That is certainly a cause
for concern.  I have not experienced similar problems when I have
allowed my own SSB CPU utilization to reach 100% but I have not done so
in combination with 802.1ad.  I hope further explaination will come from
other list readers.

-- 
Jeff at Reflected Networks



More information about the juniper-nsp mailing list