[j-nsp] ddos protocol protection - IPv4-unclassified

[James Jun]

Hello Folks,

We had a strange DoS attack against a customer attached to an MX104 router that caused the device to
completely stop forwarding all legitimate traffic (routing protocols both igp and bgp timed out across
all adjacencies and sessions).

The attack traffic was roughly 5.9 Gbps and it was 9.5 million packets per second, mostly mix of tcp
syn and non-init frags, etc.  It was coming from a single source IP, but targeting random IPv4 addresses 
inside a directly attached customer /23, where many of the destination targets were unused addresses
on customer's network (no arp entry).

During the event, I saw IPv4-unclassified protocol group getting rate limited by ddos-protection, where
aggregate policer kicked in at 858k pps:

      Received:  5659052312          Arrival rate:     1 pps
      Dropped:   5641705949          Max arrival rate: 858556 pps


Does the tripping of IPv4-unclassified policer impact any control-plane traffic on the router that may have
caused it to drop routing protocols?

Aside from arp sponging out unused addresses, are there any best practices for MX routers to better protect
the device against attacks targeting unused IPs on directly attached subnets?  Given that first gen Trio on
this box should be able to handle 55 Mpps, it seems like this is odd or ddos-protection is policing
something that it shouldn't have.  Customer port is 1GE on a 20x1G MIC card behind the QX chip side, but 
we're not doing any queueing on the box.


Thanks,
James