[j-nsp] TCP SYN attack causing BGP peer down?
Richard A Steenbergen
ras at e-gerbil.net
Tue Oct 28 15:54:39 EDT 2008
On Tue, Oct 28, 2008 at 11:31:29AM -0700, ying zhang wrote:
> ?
> We experienced a TCP SYN attack from internet today (about 350,000
> pps). Our internet pipe with ISP is 300Mb/s. The attack caused our BGP
> peer to be tear down. Just wondering why this could happen if our pipe
> is not fully saturated? Shouldn't the BGP packets have the highest
> priority? Is there a way to stop it proactively? We have a Juniper
> M120.
Was this over Ethernet? The smallest frame that can be transmitted over
Ethernet is 84 bytes, even when the IP packet is much smaller. For
example:
Preamble and SFD 8 bytes
+ Ethernet Header 14 bytes
+ Payload 40 bytes (as in a common SYN flood)
+ Frame Padding 6 bytes
+ Frame Checksum 4 bytes
+ Inter Frame Gap 12 bytes
--------------------------
88 bytes
So while may only see a 40 byte IP packet coming it (which is what
you'll see from Juniper snmp/monitor stats, since this is counted post
L2 header stripping), it is actually burning 88 bytes on the wire. 88
bytes * 350kpps = 246Mbps. This could easily have gone higher with extra
overhead (vlan tagging, etc), or if you were rounding down on the pps.
Also remember that queueing and prioritization is handled by the
transmitter, so even though you might have a perfect CoS configuration
with BGP preferred above all other packets, if your ISP doesn't have the
same setup the attack will fill their TX queue to you.
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list