[j-nsp] ddos protocol protection - IPv4-unclassified

Mark Tees marktees at gmail.com
Mon Apr 10 02:49:22 EDT 2017 

>From memory when I last tested this the default settings were pretty
bad when under DOS conditions (IGP,BGP going down due to packets being
dropped).

Ytti will probably pop up and comment on this but we have
flow-detection configured under global for ddos-protection which
create flows then actions when under DDOS like conditions rather than
hitting static policers. Only after we enabled flow-detection did we
start surviving those conditions.

https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-scfd-overview.html
http://blog.ip.fi/2014/03/quick-look-at-trio-ddos-protection-with.html


On 10 April 2017 at 13:20, Cahit Eyügünlü <cahit.eyigunlu at spd.net.tr> wrote:
> We are facing the exact Same thing with mx80
>
> iPhone'umdan gönderildi
>
> James Jun <james at towardex.com> şunları yazdı (10 Nis 2017 09:14):
>
>> Hello Folks,
>>
>> We had a strange DoS attack against a customer attached to an MX104 router that caused the device to
>> completely stop forwarding all legitimate traffic (routing protocols both igp and bgp timed out across
>> all adjacencies and sessions).
>>
>> The attack traffic was roughly 5.9 Gbps and it was 9.5 million packets per second, mostly mix of tcp
>> syn and non-init frags, etc.  It was coming from a single source IP, but targeting random IPv4 addresses
>> inside a directly attached customer /23, where many of the destination targets were unused addresses
>> on customer's network (no arp entry).
>>
>> During the event, I saw IPv4-unclassified protocol group getting rate limited by ddos-protection, where
>> aggregate policer kicked in at 858k pps:
>>
>>      Received:  5659052312          Arrival rate:     1 pps
>>      Dropped:   5641705949          Max arrival rate: 858556 pps
>>
>>
>> Does the tripping of IPv4-unclassified policer impact any control-plane traffic on the router that may have
>> caused it to drop routing protocols?
>>
>> Aside from arp sponging out unused addresses, are there any best practices for MX routers to better protect
>> the device against attacks targeting unused IPs on directly attached subnets?  Given that first gen Trio on
>> this box should be able to handle 55 Mpps, it seems like this is odd or ddos-protection is policing
>> something that it shouldn't have.  Customer port is 1GE on a 20x1G MIC card behind the QX chip side, but
>> we're not doing any queueing on the box.
>>
>>
>> Thanks,
>> James
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> [SPDNET A.ŞLogo]<https://www.spd.net.tr/>
>
> Cahit Eyügünlü
> SPDNET A.Ş
> +908508409773
> 75.Yıl Mahallesi 5301 Sokak No:24/A Yunusemre/MANİSA
> [WebsiteGB]<https://www.spd.net.tr/>   [email] <mailto:cahit.eyigunlu at spd.net.tr>     [Twitter button] <hhttps://twitter.com/NetSpd>    [Facebook button] <https://www.facebook.com/SpdNetTR/>
>
>
> Bu e-posta kişiye özel olup, gizli bilgiler içeriyor olabilir. Eğer bu e-posta size yanlışlıkla ulaşmışsa, içeriğini hiç bir şekilde kullanmayınız ve ekli dosyaları açmayınız. Bu e-posta virüslere karşı anti-virüs sistemleri tarafından taranmıştır. Ancak SPDNET, bu e-postanın - virüs koruma sistemleri ile kontrol ediliyor olsa bile - virüs içermediğini garanti etmez ve meydana gelebilecek zararlardan doğacak hiçbir sorumluluğu kabul etmez.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



-- 
Regards,

Mark L. Tees

More information about the juniper-nsp mailing list