[j-nsp] MX issue

Huan Pham drie.huanpham at gmail.com
Sat Oct 18 03:29:27 EDT 2014 

You can customise the DDOS protection config. In example below, I set the
policing rates quite low, so I can simulate the DDOS and observe the
policing in action.

Simulating the DDOS by

ping <myself> rapid 10000, or
telnet <myself> and then issue            show config | no-more, which
generate quite a lot of packets.



admin at MX5> show configuration system ddos-protection
protocols {
    icmp {
        aggregate {
            bandwidth 10;
        }
    }
    telnet {
        aggregate {
            bandwidth 50;
        }
    }
}


admin at MX5> show log messages | match DDOS
Oct 18 15:17:05  MX5 jddosd[1342]: DDOS_PROTOCOL_VIOLATION_SET: Protocol
ICMP:aggregate is violated at fpc 0 for 1 times, started at 2014-10-18
15:17:04 WST, last seen at 2014-10-18 15:17:04 WST
Oct 18 15:17:25  MX5 jddosd[1342]: DDOS_PROTOCOL_VIOLATION_SET: Protocol
Telnet:aggregate is violated at fpc 0 for 1 times, started at 2014-10-18
15:17:24 WST, last seen at 2014-10-18 15:17:24 WST



admin at MX5> show ddos-protection statistics
DDOS protection global statistics:
  Currently violated packet types:    2
  Packet types have seen violations:  2
  Total violation counts:             2

admin at MX5> show ddos-protection protocols statistics
## output obmitted ##


admin at MX5> show ddos-protection protocols icmp statistics
Protocol Group: ICMP

  Packet type: aggregate
    System-wide information:
      Aggregate bandwidth is being violated!
        No. of FPCs currently receiving excess traffic: 1
        No. of FPCs that have received excess traffic:  1
        Violation first detected at: 2014-10-18 15:17:04 WST
        Violation last seen at:      2014-10-18 15:17:09 WST
        Duration of violation: 00:00:05 Number of violations: 1
      Received:  49124               Arrival rate:     0 pps
      Dropped:   11                  Max arrival rate: 3526 pps
    Routing Engine information:
      Aggregate policer is never violated
      Received:  49113               Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 3541 pps
        Dropped by individual policers: 0
    FPC slot 0 information:
      Aggregate policer is currently being violated!
        Violation first detected at: 2014-10-18 15:17:04 WST
        Violation last seen at:      2014-10-18 15:17:09 WST
        Duration of violation: 00:00:05 Number of violations: 1
      Received:  49124               Arrival rate:     0 pps
      Dropped:   11                  Max arrival rate: 3526 pps
        Dropped by individual policers: 0
        Dropped by aggregate policer: 11

admin at MX5> show ddos-protection protocols telnet statistics
Protocol Group: Telnet

  Packet type: aggregate
    System-wide information:
      Aggregate bandwidth is being violated!
        No. of FPCs currently receiving excess traffic: 1
        No. of FPCs that have received excess traffic:  1
        Violation first detected at: 2014-10-18 15:17:24 WST
        Violation last seen at:      2014-10-18 15:18:39 WST
        Duration of violation: 00:01:15 Number of violations: 1
      Received:  1772                Arrival rate:     15 pps
      Dropped:   16                  Max arrival rate: 35 pps
    Routing Engine information:
      Aggregate policer is never violated
      Received:  1758                Arrival rate:     14 pps
      Dropped:   0                   Max arrival rate: 31 pps
        Dropped by individual policers: 0
    FPC slot 0 information:
      Aggregate policer is currently being violated!
        Violation first detected at: 2014-10-18 15:17:24 WST
        Violation last seen at:      2014-10-18 15:18:39 WST
        Duration of violation: 00:01:15 Number of violations: 1
      Received:  1772                Arrival rate:     15 pps
      Dropped:   16                  Max arrival rate: 35 pps
        Dropped by individual policers: 0
        Dropped by aggregate policer: 16






On Sat, Oct 18, 2014 at 5:55 PM, dim0sal <dim0sal at hotmail.com> wrote:

> Hi huan
> Cpu is very low and there is anything in the logs telling something about
> policing/rate limiting/ddos protection.
>
> It is also not related to dns reverse-lookup.
>
> I've asked for monitor traffic and waiting for that.
>
> Maybe it's a bug? If I do not find anything more I ll move to jtac I guess.
>
> Tks
>
>
>
>
>
>
> -------- Messaggio originale --------
> Da: Huan Pham <drie.huanpham at gmail.com>
> Data:
> A: R LAS <dim0sal at hotmail.com>
> Cc: juniper-nsp at puck.nether.net
> Oggetto: Re: [j-nsp] MX issue
>
>
> Hi,
>
> If the passing through traffic does not experience any issue, then I do
> not think it is related to "asymmetric" routing, or a congestion on a
> particular link in the multi paths that exist between MX1 & MX4.
>
> It is more likely related to a high CPU utilisation on MX4, or a RE
> protection (policing/ rate-limiting) mechanism on MX4.
>
> Huan,
>
> > On 17 Oct 2014, at 6:52 pm, R LAS <dim0sal at hotmail.com> wrote:
> >
> > Strange issue.
> >
> > Let put it simple, my customer have a network like this:
> >
> > MX1 --- wan --  MX3
> >  |                          |
> > MX2 --- wan --  MX4
> >
> > MX are MX480.
> >
> > Pings from MX1 to a vip address active on MX4 are 40% lost.
> >
> > A telnet from MX1 to a vip address active on MX4 takes 20 to 50 seconds
> to open the first time, the second is faster.
> > I suspect asymetric routing but it's still not clear (I do not manage
> the customer net).
> >
> > I'm told that passing through traffic do not experience any kind of
> issue.
> >
> > I'm thinking to ddos protection but still not got the output from the
> customer...
> > Any other idea about the issue ?
> >
> > Greetings
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list