[j-nsp] MX80 pfe hardware input drops

Alexander Kasatkin snoop at linkbeat.net
Fri Jan 31 04:02:24 EST 2014 

Hello community,

  I've strange behavior of my MX80 (junos version 11.4R8.4) under ddos
attacks. Router drops all bgp sessions (hold timer expiry) with a
3-5gbps ddos. Can someone explain me what a hardware input drops is:

snoop at mx80> show pfe statistics traffic
Packet Forwarding Engine traffic statistics:
    Input  packets:       39678419501507              1706807 pps
    Output packets:       39420428185109              1740106 pps
Packet Forwarding Engine local traffic statistics:
    Local packets input                 :           3054025645
    Local packets output                :           2570628629
    Software input control plane drops  :                    0
    Software input high drops           :                    0
    Software input medium drops         :                    0
    Software input low drops            :                    0
    Software output drops               :                    0
    Hardware input drops                :           1694162000

I've firewall input filter on lo0.0 and jddos enabled and I've noticed
that protocol reject is violated while ddos is active:

Jan 31 09:40:19  mx80 jddosd[1386]: DDOS_PROTOCOL_VIOLATION_SET:
Protocol Reject:aggregate is violated at fpc 0 for 1086 times, started
at 2014-01-31 09:40:18 EET, last seen at 2014-01-31 09:40:18 EET


snoop at mx80> show ddos-protection protocols reject
Protocol Group: Reject

  Packet type: aggregate (Aggregate for all reject traffic)
    Aggregate policer configuration:
      Bandwidth:        20000 pps
      Burst:            80000 packets
      Recover time:     300 seconds
      Enabled:          Yes
    System-wide information:
      Aggregate bandwidth is no longer being violated
No. of FPCs that have received excess traffic: 1
Last violation started at: 2014-01-31 09:40:18 EET
Last violation ended at:   2014-01-31 09:50:38 EET
Duration of last violation: 00:10:20 Number of violations: 1086
      Received:  25457232543         Arrival rate:     966 pps
      Dropped:   2962974870          Max arrival rate: 262754 pps
    Routing Engine information:
      Bandwidth: 20000 pps, Burst: 80000 packets, enabled
      Aggregate policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
Dropped by individual policers: 0
    FPC slot 0 information:
      Bandwidth: 100% (20000 pps), Burst: 100% (80000 packets), enabled
      Aggregate policer is no longer being violated
Last violation started at: 2014-01-31 09:40:18 EET
Last violation ended at:   2014-01-31 09:50:38 EET
Duration of last violation: 00:10:20 Number of violations: 1086
      Received:  25457232543         Arrival rate:     966 pps
      Dropped:   2962974870          Max arrival rate: 262754 pps
Dropped by individual policers: 0
Dropped by aggregate policer: 2962974870

But I don't have any reject action in firewall rules. Please point me
to right direction.

Kind regards,
Alexander.

More information about the juniper-nsp mailing list