[j-nsp] Juniper SRX3600 have a bug i think

Cahit Eyigünlü cahit.eyigunlu at spd.net.tr
Fri May 15 15:27:17 EDT 2015 

We have an SRX 3600 with 3x spc and 1xnpc and detailed configuration as given below :


root> show chassis hardware
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                AB4209AA0014      SRX 3600
Midplane         REV 07   710-020310   AAAV0320          SRX 3600 Midplane
PEM 0            rev 08   740-027644   G087FD002R08P     AC Power Supply
PEM 1            rev 08   740-027644   G087FE004B08P     AC Power Supply
CB 0             REV 14   750-021914   AAAV0881          SRX3k RE-12-10
  Routing Engine          BUILTIN      BUILTIN           Routing Engine
  CPP                     BUILTIN      BUILTIN           Central PFE Processor
  Mezz           REV 08   710-021035   AAAN7843          SRX HD Mezzanine Card
FPC 0            REV 16   750-021882   AADE3908          SRX3k SFB 12GE
  PIC 0                   BUILTIN      BUILTIN           8x 1GE-TX 4x 1GE-SFP
FPC 1            REV 20   750-020321   AAFE5669          SRX3k 2x10GE XFP
  PIC 0                   BUILTIN      BUILTIN           2x 10GE-XFP
    Xcvr 0                NON-JNPR     T09L21440         XFP-10G-SR
    Xcvr 1                NON-JNPR     T09L21452         XFP-10G-SR
FPC 4            REV 14   750-020321   AAAV0984          SRX3k 2x10GE XFP
  PIC 0                   BUILTIN      BUILTIN           2x 10GE-XFP
    Xcvr 0                NON-JNPR     T09L21443         XFP-10G-SR
    Xcvr 1                NON-JNPR     T09L21436         XFP-10G-SR
FPC 7            REV 13   750-016077   AADC9162          SRX3k SPC
  PIC 0                   BUILTIN      BUILTIN           SPU Cp-Flow
FPC 10           REV 19   750-017866   AABZ0103          SRX3k NPC
  PIC 0                   BUILTIN      BUILTIN           NPC PIC
FPC 11           REV 16   750-016077   AAEA6880          SRX3k SPC
  PIC 0                   BUILTIN      BUILTIN           SPU Flow
FPC 12           REV 13   750-016077   AADC9166          SRX3k SPC
  PIC 0                   BUILTIN      BUILTIN           SPU Flow
Fan Tray 0       REV 06   750-021599   AAAM4505          SRX 3600 Fan Tray




We have a test lab and we are sending an UDP flood traffic from untrust zone to trusted zone

Real ip address   -- 1G port  ---- Ex4200  ----  10G port  -----   Untrust SRX Zone ------ Trust SRX zone  ---- 10G port---- Ex4200 Switch ----1G port--- Server


Attack script is sending 29 byte UDP packets (1 byte data length.)

And we realize that NPC does not distribute connections in this situation and SPC 7 (which works in combo mode ) start dropping packets while other spc's are empty


root> show security monitoring performance spu fpc 7 pic 0 Last 60 seconds: 0: 25 1: 26 2: 27 3: 26 4: 26 5: 27 6: 27 7: 27 8: 27 9: 27 10: 27 11: 27 12: 67 13: 67 14: 67 15: 67 16: 33 17: 25 18: 24 19: 27 20: 22 21: 21 22: 27 23: 27 24: 26 25: 16 26: 19 27: 40 28: 68 29: 63 30: 66 31: 68 32: 67 33: 65 34: 68 35: 65 36: 66 37: 67 38: 63 39: 27 40: 27 41: 27 42: 27 43: 27 44: 27 45: 27 46: 27 47: 27 48: 27 49: 27 50: 27 51: 40 52: 42 53: 42 54: 42 55: 41 56: 41 57: 42 58: 36 59: 27 fpc 11 pic 0 Last 60 seconds: 0: 0 1: 0 2: 0 3: 0 4: 14 5: 49 6: 51 7: 51 8: 50 9: 50 10: 51 11: 51 12: 34 13: 0 14: 0 15: 0 16: 0 17: 0 18: 0 19: 0 20: 14 21: 40 22: 44 23: 50 24: 50 25: 38 26: 37 27: 41 28: 30 29: 0 30: 0 31: 0 32: 0 33: 0 34: 0 35: 0 36: 0 37: 0 38: 0 39: 0 40: 0 41: 0 42: 0 43: 0 44: 0 45: 2 46: 27 47: 27 48: 29 49: 29 50: 30 51: 29 52: 20 53: 0 54: 0 55: 0 56: 0 57: 0 58: 0 59: 0 fpc 12 pic 0 Last 60 seconds: 0: 47 1: 48 2: 50 3: 48 4: 3 5: 0 6: 0 7: 0 8: 0 9: 0 10: 0 11: 0 12: 0 13: 0 14: 0 15: 0 16: 38 17: 49 18: 45 19: 50 20: 3 21: 0 22: 0 23: 0 24: 0 25: 0 26: 0 27: 0 28: 0 29: 0 30: 0 31: 0 32: 0 33: 0 34: 0 35: 0 36: 0 37: 0 38: 0 39: 0 40: 47 41: 50 42: 50 43: 50 44: 50 45: 32 46: 24 47: 23 48: 22 49: 22 50: 22 51: 22 52: 23 53: 22 54: 21 55: 21 56: 22 57: 21 58: 18 59: 20 root> show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis AB4209AA0014 SRX 3600 Midplane REV 07 710-020310 AAAV0320 SRX 3600 Midplane PEM 0 rev 08 740-027644 G087FD002R08P AC Power Supply PEM 1 rev 08 740-027644 G087FE004B08P AC Power Supply CB 0 REV 14 750-021914 AAAV0881 SRX3k RE-12-10 Routing Engine BUILTIN BUILTIN Routing Engine CPP BUILTIN BUILTIN Central PFE Processor Mezz REV 08 710-021035 AAAN7843 SRX HD Mezzanine Card FPC 0 REV 16 750-021882 AADE3908 SRX3k SFB 12GE PIC 0 BUILTIN BUILTIN 8x 1GE-TX 4x 1GE-SFP FPC 1 REV 20 750-020321 AAFE5669 SRX3k 2x10GE XFP PIC 0 BUILTIN BUILTIN 2x 10GE-XFP Xcvr 0 NON-JNPR T09L21440 XFP-10G-SR Xcvr 1 NON-JNPR T09L21452 XFP-10G-SR FPC 4 REV 14 750-020321 AAAV0984 SRX3k 2x10GE XFP PIC 0 BUILTIN BUILTIN 2x 10GE-XFP Xcvr 0 NON-JNPR T09L21443 XFP-10G-SR Xcvr 1 NON-JNPR T09L21436 XFP-10G-SR FPC 7 REV 13 750-016077 AADC9162 SRX3k SPC PIC 0 BUILTIN BUILTIN SPU Cp-Flow FPC 10 REV 19 750-017866 AABZ0103 SRX3k NPC PIC 0 BUILTIN BUILTIN NPC PIC FPC 11 REV 16 750-016077 AAEA6880 SRX3k SPC PIC 0 BUILTIN BUILTIN SPU Flow FPC 12 REV 13 750-016077 AADC9166 SRX3k SPC PIC 0 BUILTIN BUILTIN SPU Flow Fan Tray 0 REV 06 750-021599 AAAM4505 SRX 3600 Fan Tray GOT: === spc7, swanhill7, Ingress, QOS, per queue counters: GOT: Q# P PktCnt ByteCnt ErrPktCnt DropCnt Buf RateKbps GOT: -- - ----------- ----------- ----------- ----------- --- -------- Before : GOT: 0 0 689433376 3198313481 0 173262666 0 0 After : GOT: 0 0 716151200 1322793729 0 187301004 0 0 GOT: === spc11, swanhill11, Ingress, QOS, per queue counters: GOT: Q# P PktCnt ByteCnt ErrPktCnt DropCnt Buf RateKbps GOT: -- - ----------- ----------- ----------- ----------- --- -------- Before : GOT: 0 0 250772733 1150162904 0 1086140 0 0 After : GOT: 0 0 260742314 2506553813 0 1086140 0 0 GOT: === spc12, swanhill12, Ingress, QOS, per queue counters: GOT: Q# P PktCnt ByteCnt ErrPktCnt DropCnt Buf RateKbps GOT: -- - ----------- ----------- ----------- ----------- --- -------- Before : GOT: 0 0 237042682 3273566470 0 4507285 0 0 After : GOT: 0 0 241128473 3830250900 0 4507285 0 0





SRX start dropping packets after 500k pps of the udp attack.

We can not use threshold limit because it drops the real connections too while under attack.

we cannot use session limit because the attack does not create session

we tryed to block packet size with firewall filter but it does not change the result srx losts the connection



[SPDNet Telekomünikasyon  A.S. Logo]<http://https://www.spd.net.tr/>

Cahit Eyigünlü
SPDNet Telekomünikasyon A.S.
+908508409773
75. Yl Mahallesi 5301 Sk No:24/A - MANSA 45100
[WebsiteGB]<http://https://www.spd.net.tr/>   [email] <mailto:cahit.eyigunlu at spd.net.tr>     [:inkedIn button] <http://https://www.linkedin.com/company/spdnet>    [Twitter button] <https://twitter.com/NetSpd>    [Facebook button] <https://www.facebook.com/SpdNetTR>


Bu e-posta kişiye özel olup, gizli bilgiler içeriyor olabilir. Eğer bu e-posta size yanlışlıkla ulaşmışsa, içeriğini hiç bir şekilde kullanmayınız ve ekli dosyaları açmayınız. Bu e-posta virüslere karşı anti-virüs sistemleri tarafından taranmıştır. Ancak SPDNET, bu e-postanın - virüs koruma sistemleri ile kontrol ediliyor olsa bile - virüs içermediğini garanti etmez ve meydana gelebilecek zararlardan doğacak hiçbir sorumluluğu kabul etmez.

More information about the juniper-nsp mailing list