[j-nsp] MX480 RE-S-2000 IGMP flood

Misak Khachatryan m.khachatryan at gnc.am
Thu Jan 30 05:35:54 EST 2014


Thanks Abhi, i saw this document, but i need real life experience about 
hardening thresholds or implementing additional filter/policers.

Abhi wrote:
> can u check the link below
>
> http://www.juniper.net/techpubs/en_US/junos13.2/topics/task/configuration/subscriber-management-ddos-packet.html
>
>
> regards
> abhijeet.c
>
>
> On Thursday, January 30, 2014 2:57 PM, Misak Khachatryan
> <m.khachatryan at gnc.am> wrote:
>
>     Hello,
>
>     I met very ugly problem yesterday. Consider following scheme:
>
>
>                            ================ Cisco ASR 1006
>                            |
>     Customer ========| Juniper EX4200 |
>                            |
>                            ================ Juniper MX480
>
>     Customer connected by one VLAN to both routers and established BGP
>     session with both.
>
>     Suddenly his router starts to send around 10000 packets per second.
>     Most
>     of them are exactly this:
>
>     "1","0.000000","0.0.0.0","224.0.0.1","IGMPv3","60","Membership Query,
>     general"
>
>     MX480 is just dying from this flood of packets, where ASR is fine.
>
>     I know that several DDoS policies are preconfigured to protect RE from
>     these situations but tresholds didn't trigger, so RE should handle them:
>
>     show ddos-protection protocols igmp
>     Packet types: 1, Modified: 0, Received traffic: 1, Currently violated: 0
>     Currently tracked flows: 0, Total detected flows: 0
>     * = User configured value
>
>     Protocol Group: IGMP
>
>        Packet type: aggregate (Aggregate for all igmp traffic)
>          Aggregate policer configuration:
>            Bandwidth:        20000 pps
>            Burst:            20000 packets
>            Recover time:    300 seconds
>            Enabled:          Yes
>          Flow detection configuration:
>            Detection mode: Automatic  Detect time:  3 seconds
>            Log flows:      Yes        Recover time: 60 seconds
>        Timeout flows:  No        Timeout time: 300 seconds
>            Flow aggregation level configuration:
>              Aggregation level  Detection mode  Control mode  Flow rate
>              Subscriber          Automatic      Drop          10 pps
>              Logical interface  Automatic      Drop          10 pps
>              Physical interface  Automatic      Drop          20000 pps
>          System-wide information:
>            Aggregate bandwidth is never violated
>            Received:  7268549            Arrival rate:    0 pps
>            Dropped:  0               Max arrival rate: 17204 pps
>          Routing Engine information:
>            Bandwidth: 20000 pps, Burst: 20000 packets, enabled
>            Aggregate policer is never violated
>            Received:  4270279            Arrival rate:    0 pps
>            Dropped:  0                  Max arrival rate: 9979 pps
>              Dropped by individual policers: 0
>          FPC slot 1 information:
>            Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
>            Aggregate policer is never violated
>            Received:  1658                Arrival rate:    0 pps
>            Dropped:  0                 Max arrival rate: 2 pps
>              Dropped by individual policers: 0
>              Dropped by flow suppression:    0
>          FPC slot 2 information:
>            Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
>            Aggregate policer is never violated
>            Received:  7266879            Arrival rate:    0 pps
>            Dropped:  0                  Max arrival rate: 17204 pps
>              Dropped by individual policers: 0
>              Dropped by flow suppression:    0
>          FPC slot 3 information:
>            Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
>        Aggregate policer is never violated
>            Received:  12                  Arrival rate:    0 pps
>            Dropped:  0                  Max arrival rate: 0 pps
>              Dropped by individual policers: 0
>              Dropped by flow suppression:    0
>
>     Anybody have experience with configuration of additional mechanisms?
>     Anybody nave recommendations for threshold tuning?
>
>     I'm gonna to open ticket in JTAC of course, but here i can get faster
>     answers. Thank You in advance.
>
>     --
>     Best regards,
>     Misak Khachatryan,
>     Head of Network Administration
>     and Monitoring Department,
>     GNC-Alfa CJSC.
>     _______________________________________________
>     juniper-nsp mailing list juniper-nsp at puck.nether.net
>     <mailto:juniper-nsp at puck.nether.net>
>     https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>

-- 
Best regards,
Misak Khachatryan,


More information about the juniper-nsp mailing list