[j-nsp] MX480 RE-S-2000 IGMP flood
Misak Khachatryan
m.khachatryan at gnc.am
Thu Jan 30 05:35:54 EST 2014
Thanks Abhi, i saw this document, but i need real life experience about
hardening thresholds or implementing additional filter/policers.
Abhi wrote:
> can u check the link below
>
> http://www.juniper.net/techpubs/en_US/junos13.2/topics/task/configuration/subscriber-management-ddos-packet.html
>
>
> regards
> abhijeet.c
>
>
> On Thursday, January 30, 2014 2:57 PM, Misak Khachatryan
> <m.khachatryan at gnc.am> wrote:
>
> Hello,
>
> I met very ugly problem yesterday. Consider following scheme:
>
>
> ================ Cisco ASR 1006
> |
> Customer ========| Juniper EX4200 |
> |
> ================ Juniper MX480
>
> Customer connected by one VLAN to both routers and established BGP
> session with both.
>
> Suddenly his router starts to send around 10000 packets per second.
> Most
> of them are exactly this:
>
> "1","0.000000","0.0.0.0","224.0.0.1","IGMPv3","60","Membership Query,
> general"
>
> MX480 is just dying from this flood of packets, where ASR is fine.
>
> I know that several DDoS policies are preconfigured to protect RE from
> these situations but tresholds didn't trigger, so RE should handle them:
>
> show ddos-protection protocols igmp
> Packet types: 1, Modified: 0, Received traffic: 1, Currently violated: 0
> Currently tracked flows: 0, Total detected flows: 0
> * = User configured value
>
> Protocol Group: IGMP
>
> Packet type: aggregate (Aggregate for all igmp traffic)
> Aggregate policer configuration:
> Bandwidth: 20000 pps
> Burst: 20000 packets
> Recover time: 300 seconds
> Enabled: Yes
> Flow detection configuration:
> Detection mode: Automatic Detect time: 3 seconds
> Log flows: Yes Recover time: 60 seconds
> Timeout flows: No Timeout time: 300 seconds
> Flow aggregation level configuration:
> Aggregation level Detection mode Control mode Flow rate
> Subscriber Automatic Drop 10 pps
> Logical interface Automatic Drop 10 pps
> Physical interface Automatic Drop 20000 pps
> System-wide information:
> Aggregate bandwidth is never violated
> Received: 7268549 Arrival rate: 0 pps
> Dropped: 0 Max arrival rate: 17204 pps
> Routing Engine information:
> Bandwidth: 20000 pps, Burst: 20000 packets, enabled
> Aggregate policer is never violated
> Received: 4270279 Arrival rate: 0 pps
> Dropped: 0 Max arrival rate: 9979 pps
> Dropped by individual policers: 0
> FPC slot 1 information:
> Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
> Aggregate policer is never violated
> Received: 1658 Arrival rate: 0 pps
> Dropped: 0 Max arrival rate: 2 pps
> Dropped by individual policers: 0
> Dropped by flow suppression: 0
> FPC slot 2 information:
> Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
> Aggregate policer is never violated
> Received: 7266879 Arrival rate: 0 pps
> Dropped: 0 Max arrival rate: 17204 pps
> Dropped by individual policers: 0
> Dropped by flow suppression: 0
> FPC slot 3 information:
> Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled
> Aggregate policer is never violated
> Received: 12 Arrival rate: 0 pps
> Dropped: 0 Max arrival rate: 0 pps
> Dropped by individual policers: 0
> Dropped by flow suppression: 0
>
> Anybody have experience with configuration of additional mechanisms?
> Anybody nave recommendations for threshold tuning?
>
> I'm gonna to open ticket in JTAC of course, but here i can get faster
> answers. Thank You in advance.
>
> --
> Best regards,
> Misak Khachatryan,
> Head of Network Administration
> and Monitoring Department,
> GNC-Alfa CJSC.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> <mailto:juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
--
Best regards,
Misak Khachatryan,
More information about the juniper-nsp
mailing list