[j-nsp] Paid: need small M7i config snippet (policer)

Tarique A. Nalkhande - BMC t.nalkhande.bmc at mobily.com.sa
Tue Apr 19 02:36:19 EDT 2011 

Markus,

The percentage of UDP traffic can vary from less than 5 percent to more than 50 percent of network traffic. After establishing a baseline, you can decide if it is necessary to rate-limit UDP to preserve bandwidth for other protocols.

For establishing the above baseline, counters should be implemented on routers to count UDP packets traversing the network. By comparing these counters with the total number of packets seen, you can derive a percentage of total packets and bandwidth

set firewall filter <ur existing filter> term udp from protocol udp
set firewall filter <ur existing filter> term udp from destination-port <>
set firewall filter <ur existing filter> term udp then count udp-traffic

Just add the above term in ur existing input filter facing upstream providers in order to derive the % UDP traffic for setting the threshold (if required). {you may need to monitor it for couple of days to get the maximum average value}. You can infact even poll this counter in ur Cacti/MRTG to get a pictorial view of min/avg/max value of it.

Regarding rate-limiting UDP traffic on lo0.0, it depend on your setup & protocols you are running like SNMP, DNS, NTP, LDP & so on... IMHO rather than rate-limiting a more feasible approach would be to define a trusted source-prefix for all UDP traffic meant for the router.

Ex: 

set firewall family inet filter Loopback-Filter term DNS from source-address <DNS IP>
set firewall family inet filter Loopback-Filter term DNS from protocol udp
set firewall family inet filter Loopback-Filter term DNS from source-port 53
set firewall family inet filter Loopback-Filter term DNS then accept

set firewall family inet filter Loopback-Filter term LDP from source-address <Internal Subnets used for LDP>
set firewall family inet filter Loopback-Filter term LDP from protocol udp
set firewall family inet filter Loopback-Filter term LDP from protocol tcp
set firewall family inet filter Loopback-Filter term LDP from port ldp
set firewall family inet filter Loopback-Filter term LDP then accept

Hope it helps! 


Thanks & Regards
Tarique Abbas Nalkhande



-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Markus
Sent: 19 April, 2011 3:34 AM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Paid: need small M7i config snippet (policer)

Hi,

I have a M7i and some customers are attracting DDoS attacks (UDP packet
floods) causing some 100 Mbps switches in the LAN to sature and, in case
of large DDoSes, sometimes also the upstream links. This is not good. :)  
 Therefore I'd like to implement the following:

UDP throughput coming in from the internet to a specific local IP address
(or subnet) should never exceed 50 Mbps.

And to protect the RE: UDP throughput to the router itself should never
exceed n Mbps (what's a good value?).

I have no lab router to mess around with so I would like to request a
config snippet that just works. I'm offering money (PayPal, CC, wire) for
the person or company who is willing to do that.

You can get in touch with me off-list.

Thank you!
Markus

PS:

Item             Version  Part number  Serial number     Description
Chassis                                36947             M7i
Midplane         REV 04   710-008761   CK5276            M7i Midplane
Power Supply 0   Rev 05   740-008537   5218978           AC Power Supply
Power Supply 1   Rev 05   740-008537   5240260           AC Power Supply
Routing Engine   REV 06   740-011202   1000691275        RE-850
CFEB             REV 04   750-010463   CK3066            Internet
Processor II
FPC 0                                                    E-FPC
  PIC 0          REV 07   750-010238   CL0382            1x G/E SFP, 1000
BASE
    SFP 0        REV 01   740-013111   51231147          SFP-T
FPC 1                                                    E-FPC
  PIC 2                   BUILTIN      BUILTIN           1x Tunnel
  PIC 3          REV 06   750-009099   CK8663            1x G/E, 1000 BASE
    SFP 0        REV 01   740-013111   51231161          SFP-T

--- JUNOS 8.0R2.8 built 2006-09-29 08:32:29 UTC
(Old, I know... )



_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

------Disclaimer------ This email and any files transmitted with are classified as confidential unless otherwise specified. This e-mail is intended solely for the use of the individual or entity to whom this e-mail is addressed. If you have received this email by mistake, please notify the sender and delete this e-mail immediately and permanently. Although measures were taken to free this e-mail and its attachments from any malicious code infection, it is the responsibility of the recipient to check this email and any attachments for the presence of such infection. The use of EEC(Mobily) e-mail service is limited for EEC(Mobily) business use only.

More information about the juniper-nsp mailing list