[j-nsp] MX480 RE-S-2000 IGMP flood

Misak Khachatryan m.khachatryan at gnc.am
Thu Jan 30 04:26:22 EST 2014 

Hello,

I met very ugly problem yesterday. Consider following scheme:


                      ================ Cisco ASR 1006
                      |
Customer ========| Juniper EX4200 |
                      |
                      ================ Juniper MX480

Customer connected by one VLAN to both routers and established BGP 
session with both.

Suddenly his router starts to send around 10000 packets per second. Most 
of them are exactly this:

"1","0.000000","0.0.0.0","224.0.0.1","IGMPv3","60","Membership Query, 
general"

MX480 is just dying from this flood of packets, where ASR is fine.

I know that several DDoS policies are preconfigured to protect RE from 
these situations but tresholds didn't trigger, so RE should handle them:

show ddos-protection protocols igmp
Packet types: 1, Modified: 0, Received traffic: 1, Currently violated: 0
Currently tracked flows: 0, Total detected flows: 0
* = User configured value

Protocol Group: IGMP

   Packet type: aggregate (Aggregate for all igmp traffic)
     Aggregate policer configuration:
       Bandwidth:        20000 pps
       Burst:            20000 packets
       Recover time:     300 seconds
       Enabled:          Yes
     Flow detection configuration:
       Detection mode: Automatic  Detect time:  3 seconds
       Log flows:      Yes        Recover time: 60 seconds
       Timeout flows:  No         Timeout time: 300 seconds
       Flow aggregation level configuration:
         Aggregation level   Detection mode  Control mode  Flow rate
         Subscriber          Automatic       Drop          10 pps
         Logical interface   Automatic       Drop          10 pps
         Physical interface  Automatic       Drop          20000 pps
     System-wide information:
       Aggregate bandwidth is never violated
       Received:  7268549             Arrival rate:     0 pps
       Dropped:   0                   Max arrival rate: 17204 pps
     Routing Engine information:
       Bandwidth: 20000 pps, Burst: 20000 packets, enabled
       Aggregate policer is never violated
       Received:  4270279             Arrival rate:     0 pps
       Dropped:   0                   Max arrival rate: 9979 pps
         Dropped by individual policers: 0
     FPC slot 1 information:
       Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
       Aggregate policer is never violated
       Received:  1658                Arrival rate:     0 pps
       Dropped:   0                   Max arrival rate: 2 pps
         Dropped by individual policers: 0
         Dropped by flow suppression:    0
     FPC slot 2 information:
       Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
       Aggregate policer is never violated
       Received:  7266879             Arrival rate:     0 pps
       Dropped:   0                   Max arrival rate: 17204 pps
         Dropped by individual policers: 0
         Dropped by flow suppression:    0
     FPC slot 3 information:
       Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
       Aggregate policer is never violated
       Received:  12                  Arrival rate:     0 pps
       Dropped:   0                   Max arrival rate: 0 pps
         Dropped by individual policers: 0
         Dropped by flow suppression:    0

Anybody have experience with configuration of additional mechanisms? 
Anybody nave recommendations for threshold tuning?

I'm gonna to open ticket in JTAC of course, but here i can get faster 
answers. Thank You in advance.

-- 
Best regards,
Misak Khachatryan,
Head of Network Administration
and Monitoring Department,
GNC-Alfa CJSC.

More information about the juniper-nsp mailing list