[j-nsp] ddos protocol protection - IPv4-unclassified

Cahit Eyügünlü cahit.eyigunlu at spd.net.tr
Mon Apr 10 02:20:31 EDT 2017 

We are facing the exact Same thing with mx80

iPhone'umdan gönderildi

James Jun <james at towardex.com> şunları yazdı (10 Nis 2017 09:14):

> Hello Folks,
>
> We had a strange DoS attack against a customer attached to an MX104 router that caused the device to
> completely stop forwarding all legitimate traffic (routing protocols both igp and bgp timed out across
> all adjacencies and sessions).
>
> The attack traffic was roughly 5.9 Gbps and it was 9.5 million packets per second, mostly mix of tcp
> syn and non-init frags, etc.  It was coming from a single source IP, but targeting random IPv4 addresses
> inside a directly attached customer /23, where many of the destination targets were unused addresses
> on customer's network (no arp entry).
>
> During the event, I saw IPv4-unclassified protocol group getting rate limited by ddos-protection, where
> aggregate policer kicked in at 858k pps:
>
>      Received:  5659052312          Arrival rate:     1 pps
>      Dropped:   5641705949          Max arrival rate: 858556 pps
>
>
> Does the tripping of IPv4-unclassified policer impact any control-plane traffic on the router that may have
> caused it to drop routing protocols?
>
> Aside from arp sponging out unused addresses, are there any best practices for MX routers to better protect
> the device against attacks targeting unused IPs on directly attached subnets?  Given that first gen Trio on
> this box should be able to handle 55 Mpps, it seems like this is odd or ddos-protection is policing
> something that it shouldn't have.  Customer port is 1GE on a 20x1G MIC card behind the QX chip side, but
> we're not doing any queueing on the box.
>
>
> Thanks,
> James
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
[SPDNET A.ŞLogo]<https://www.spd.net.tr/>

Cahit Eyügünlü
SPDNET A.Ş
+908508409773
75.Yıl Mahallesi 5301 Sokak No:24/A Yunusemre/MANİSA
[WebsiteGB]<https://www.spd.net.tr/>   [email] <mailto:cahit.eyigunlu at spd.net.tr>     [Twitter button] <hhttps://twitter.com/NetSpd>    [Facebook button] <https://www.facebook.com/SpdNetTR/>


Bu e-posta kişiye özel olup, gizli bilgiler içeriyor olabilir. Eğer bu e-posta size yanlışlıkla ulaşmışsa, içeriğini hiç bir şekilde kullanmayınız ve ekli dosyaları açmayınız. Bu e-posta virüslere karşı anti-virüs sistemleri tarafından taranmıştır. Ancak SPDNET, bu e-postanın - virüs koruma sistemleri ile kontrol ediliyor olsa bile - virüs içermediğini garanti etmez ve meydana gelebilecek zararlardan doğacak hiçbir sorumluluğu kabul etmez.

More information about the juniper-nsp mailing list