[j-nsp] MX480 RE-S-2000 IGMP flood

santiago martinez santiago.martinez.uk at gmail.com
Thu Jan 30 11:29:05 EST 2014


Hi Saku, agree with you, LPTS is doing a better job right now...
If I'm not wrong or miss interpreting Juniper documentation, Junos ddos
aready support per flow ddos (12.3 and later)
Best regards
Santiago

url:
http://www.juniper.net/techpubs/en_US/junos12.3/topics/task/configuration/scfd-enable-globally.html

[edit system ddos-protection
global<http://www.juniper.net/techpubs/en_US/junos12.3/topics/reference/configuration-statement/global-edit-ddos.html>
]user at host# *set flow-detection
<http://www.juniper.net/techpubs/en_US/junos12.3/topics/reference/configuration-statement/enable-scfd-edit-system-ddos-protection.html>*


On Thu, Jan 30, 2014 at 2:46 PM, Saku Ytti <saku at ytti.fi> wrote:

> On (2014-01-30 14:35 +0400), Misak Khachatryan wrote:
>
> > Thanks Abhi, i saw this document, but i need real life experience
> > about hardening thresholds or implementing additional
> > filter/policers.
>
> In my experience there is some build-in unconfigurable policer to limit how
> many packets can hit control-plane.
> Under attack, when IGP, BGP, LDP etc are all dead, the UI is happy camper,
> with control-plane CPU load in MX960 just few percentage, it should be
> dying,
> the global policer is just making attackers job easier by essentially
> downgrading CPU performance.
>
> So it probably goes something like this
>
> traffic => if-filter => lo-filter => ddos-policer =>
> global-unconfigurable-policer
>
> Stock limitation to most DDoS policers are 20kpps, which is more than
> enough
> to bring MX960 to its knees
>
> If your DDoS policer can see good and bad traffic, low limit will just make
> attacking easier. It's mostly useful to catch things lo0 cannot reasonably
> protect like HTTP rate (you'd need <=4Mbps policer to have accceptable
> pps),
> BGP rate, etc and to catch non-IP stuff lo0 cannot handle and to fix
> accidental errors causing flood of 'trusted/good' packets.
> But in this case, you'd rather keep IGP and BGP rocking than multicast, so
> I'd
> police all non-critical to under 4kpps in DoS policer. For for critical I'd
> try to guarantee only good traffic passes lo0.
>
> Longer term, JunOS should adapt LPTS from IOS-XR, where each session has
> unique policer, making sure that one session attacking does not stop
> non-attacking sessions from working.
> Shorter term JunOS should add PPS policers in FW filters for proper lo0
> filtering and configurable global policer (I'd just remove it personally).
>
>
>
> --
>   ++ytti
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list