[j-nsp] DDOS/Poor Ping on New M5

Panny Malialis panny at hotlinks.co.uk
Wed Apr 7 22:40:28 EDT 2004 

Hello.

I'm currently getting a ddos of around 80mb.
Lots of compromised hosts making requests to port 80 on 1 ip.
So I've blocked the IP/port on my M5's however I'm seeing something strange.

One of the M5's, lets call it router A (Brand new, with 600-512 RE) is pinging badly and ssh sessions are slow on all interfaces
apart from fxp0.
It's still passing traffic, however, there is a bad ping time here and there and snmp time outs also.

The other M5, router B (Old, version with 333-768 RE) is handling everything just fine, dropping all the ddos packets without any
effect on ping times to it, or passing through it.

Interestingly, if I turn off the transit on router A, so the traffic it's routing has to pass through router B also, then the ping
times return to normal again.

Firewall config is identical on both router A and B.
Routing config is also virtually identical apart from different upstreams.

Funny how the old M5 seems to work better than the one :)
I even tried rebooting router A, with no effect.

Any similar experiences?
Could this be a hardware problem?
I did notice that A is running a little hot!

Routing engine looks ok:

(A)
Routing Engine status:
    Temperature                 36 degrees C / 96 degrees F
    DRAM                       512 MB
    Memory utilization          41 percent
    CPU utilization:
      User                       1 percent
      Background                 0 percent
      Kernel                     0 percent
      Interrupt                  0 percent
      Idle                      99 percent
    Model                          RE-3.0
    Serial ID                      P11075100957
    Start time                     2004-04-08 01:27:03 BST
    Uptime                         1 hour, 49 minutes, 16 seconds
    Load averages:                 1 minute   5 minute  15 minute
                                       0.10       0.05       0.01

(B)
Routing Engine status:
    Temperature                 30 degrees C / 86 degrees F
    DRAM                       768 MB
    Memory utilization          38 percent
    CPU utilization:
      User                       1 percent
      Background                 2 percent
      Kernel                     1 percent
      Interrupt                  0 percent
      Idle                      95 percent
    Model                          RE-2.0
    Serial ID                      de0000074a1d5401
    Start time                     2003-11-13 18:11:47 GMT
    Uptime                         146 days, 8 hours, 18 minutes, 15 seconds
    Load averages:                 1 minute   5 minute  15 minute
                                       0.04       0.02       0.00


Also, while on the subject of DDOS, does Juniper have a way to rate limit by packets per host so I can try to allow some "good"
traffic back to the server? or should I look into a more dedicated anti DDOS solution like Netscreen or Fortinet? Any
recommendations?


Thanks

Panny Malialis.

More information about the juniper-nsp mailing list