[j-nsp] Whats the best way to announce an IP range in BGP? Doesn't physically exist anywhere.

Scott T. Cameron routehero at gmail.com
Mon Jun 25 08:06:15 EDT 2012


On Mon, Jun 25, 2012 at 6:56 AM, Pavel Lunin <plunin at senetsy.ru> wrote:

>
>
> >> This is exactly what happened. The session table filled up. One of
> >> our security guys took down our edge 650 cluster from a single unix
> >> box out on the net.
> > This is what happens when you use a stateful box for an internet router.
> >
> > a  router with a covering aggreate and some knowledge of the more
> > specifc on the interior would inexpensively discard traffic bound for
> > unreachable destinations.
>
> 1. First, sorry for writing this once again, but it's just not the case.
> Any more or less smart stateful device, whether SRX or anything else,
> must not create session states for packets falling under a discard
> route. And SRX does not, I checked. Filling up the session table is
> caused by either a bug or (rather) a design/config mistake.


I'm not sure I agree with this assessment.

The SRX is very quick at disposing of invalid sessions, generally.
 However, it is easily susceptible to DDOS if you let it reach the session
table.

Here's some quick POC code:

http://pastebin.com/FjgavSwn

You can run this against some non-operational IPs, but present via, say,
discard route in your config.  You will see the invalid sessions rise
dramatically via 'show sec flow sess sum'.

I am no expert, but you can see how quickly this could be abused by someone
who was intent on disrupting your network -- and they wouldn't have to use
cheap perl code to do the job.

Malicious user aside, a legitimate application trying to hit an invalid IP
would give the same result.  Self-made DDOS are very common in my
experience.  In one case, we had an "updater" application which would
update drivers and software for our hardware.  It was installed on millions
of computers.  One day, the service was shutdown and new software was
distributed with the products.  Many users, however, never updated, and the
software was very aggressive in calling home.  Without knowing this, a /24
was pulled down to the SRX, and the updater instantly filled the session
table.

Scott


More information about the juniper-nsp mailing list