[j-nsp] Bgp peer sessions flap in 165k-245k pps/sec DoS
Samit
janasamit at wlink.com.np
Sun Feb 15 05:49:49 EST 2009
I do have filter in placed to protect the RE. But the attack is not
targeted or directed to any interfaces of my router. My customer network
as under DoS attacked , tcpdump snapshot attached below "x" is source
and "y" is target.
04:16:18.225986 IP x.x.x.x.12372 > y.y.y.y.18990: UDP,
length 36
04:16:18.226063 IP x.x.x.x.12372 > y.y.y.y.18990: UDP,
length 36
04:16:18.226072 IP x.x.x.x.12372 > y.y.y.y.18990: UDP,
length 36
04:16:18.226091 IP x.x.x.x.12372 > y.y.y.y.18990: UDP,
length 36
04:16:18.226095 IP x.x.x.x.12372 > y.y.y.y.18990: UDP,
length 36
04:16:18.226112 IP x.x.x.x.12372 > y.y.y.y.18990: UDP,
length 36
04:16:18.226115 IP x.x.x.x.12372 > y.y.y.y.18990: UDP,
length 36
04:16:18.226131 IP x.x.x.x.12372 > y.y.y.y.18990: UDP,
I don't have pfe stat during Dos but this is how it the output look like
now.
Packet Forwarding Engine traffic statistics:
Input packets: 40918149601 102324 pps
Output packets: 40903880367 102281 pps
Packet Forwarding Engine local traffic statistics:
Local packets input : 4603616
Local packets output : 5077330
Software input control plane drops : 0
Software input high drops : 0
Software input medium drops : 0
Software input low drops : 0
Software output drops : 0
Hardware input drops : 0
Packet Forwarding Engine local protocol statistics:
HDLC keepalives : 143360
ATM OAM : 0
Frame Relay LMI : 0
PPP LCP/NCP : 0
OSPF hello : 0
OSPF3 hello : 0
RSVP hello : 0
LDP hello : 0
BFD : 0
IS-IS IIH : 0
Packet Forwarding Engine hardware discard statistics:
Timeout : 0
Truncated key : 0
Bits to test : 0
Data error : 0
Stack underflow : 0
Stack overflow : 0
Normal discard : 14002963
Extended discard : 41297
Invalid interface : 0
Info cell drops : 0
Fabric drops : 0
Packet Forwarding Engine Input IPv4 Header Checksum Error and Output MTU
Error statistics:
Input Checksum : 196
Output MTU : 0
I don't have JTAC support access.. :)
Regards,
Samit
Nilesh Khambal wrote:
> Hi Samit,
>
> Do you have the output of "show pfe statistics traffic" from this router?
>
> What was the type of DoS attack traffic? Was it directed to any of the
> interfaces on the router? Did you have any filter applied to loopback
> interface to drop such traffic? If yes, did any of the filters that were
> applied to the interface matching DoS traffic had reject action in them?
> Is any syslogging enabled in any of the filter terms that were matching
> the attack traffic?
>
> Also, I would recommend involving JTAC during such incidents in future.
> They can help you figure out the problem.
>
> Thanks,
> Nilesh
>
>
> On Feb 14, 2009, at 11:19 PM, "Samit" <janasamit at wlink.com.np> wrote:
>
>> Hi,
>>
>> Today early in the morning around 4am we had a udp based DoS from the
>> Internet destinate to one of my customer network for about over 1.5hr.
>> The pps rate was from 165k to 245k peak and at the rate of around 90Mbps
>> as per the mrtg graphs. I don't have any Qos running, but I noticed
>> later that all Bgp peer sessions flapped during that period though I
>> have plenty of capacity in my upstream as well as in downstream links,
>> therefore I don't call it M7i fully survived and handled it. M7i is
>> capable of forwarding 16million pps and additionally I have plenty of
>> free bandwidth available, so there should not be any interface buffer
>> exhaustion or link saturation. Therefore, I failed to understood the
>> reason of the BGP flaps. Can anyone help me explain to understand?
>>
>>
>> Regards,
>> Samit
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
More information about the juniper-nsp
mailing list