[j-nsp] ddos protocol protection - IPv4-unclassified

Cahit Eyügünlü cahit.eyigunlu at spd.net.tr
Mon Apr 10 03:17:43 EDT 2017 

Dear james ,

Do you face sth. Like that ?


http://gorselpaylas.com/image/5
http://gorselpaylas.com/image/7
http://gorselpaylas.com/image/A
http://gorselpaylas.com/image/D






On 10/04/17 10:14, "Felix Schüren" <felix.schueren at godaddy.com> wrote:

>From memory, the MXes by default have a single shared policer across all interfaces for stuff like ARP, which means that the flood you received against non-existant but "directly reachable" IPs most likely triggered this global policer, which caused ARP/ND timeouts on all (even non-attacked) interfaces, which then caused BGP/IGP timeouts. You've effectively DoSed yourself with the ARP requests I think. :)
>
>Kind regards,
>Felix
>
>________________________________________
>From: juniper-nsp <juniper-nsp-bounces at puck.nether.net> on behalf of Mark Tees <marktees at gmail.com>
>Sent: Monday, April 10, 2017 8:49 AM
>To: Cahit Eyügünlü
>Cc: juniper-nsp at puck.nether.net
>Subject: Re: [j-nsp] ddos protocol protection - IPv4-unclassified
>
>From memory when I last tested this the default settings were pretty
>bad when under DOS conditions (IGP,BGP going down due to packets being
>dropped).
>
>Ytti will probably pop up and comment on this but we have
>flow-detection configured under global for ddos-protection which
>create flows then actions when under DDOS like conditions rather than
>hitting static policers. Only after we enabled flow-detection did we
>start surviving those conditions.
>
>https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-scfd-overview.html
>http://blog.ip.fi/2014/03/quick-look-at-trio-ddos-protection-with.html
>
>
>On 10 April 2017 at 13:20, Cahit Eyügünlü <cahit.eyigunlu at spd.net.tr> wrote:
>> We are facing the exact Same thing with mx80
>>
>> iPhone'umdan gönderildi
>>
>> James Jun <james at towardex.com> şunları yazdı (10 Nis 2017 09:14):
>>
>>> Hello Folks,
>>>
>>> We had a strange DoS attack against a customer attached to an MX104 router that caused the device to
>>> completely stop forwarding all legitimate traffic (routing protocols both igp and bgp timed out across
>>> all adjacencies and sessions).
>>>
>>> The attack traffic was roughly 5.9 Gbps and it was 9.5 million packets per second, mostly mix of tcp
>>> syn and non-init frags, etc.  It was coming from a single source IP, but targeting random IPv4 addresses
>>> inside a directly attached customer /23, where many of the destination targets were unused addresses
>>> on customer's network (no arp entry).
>>>
>>> During the event, I saw IPv4-unclassified protocol group getting rate limited by ddos-protection, where
>>> aggregate policer kicked in at 858k pps:
>>>
>>>      Received:  5659052312          Arrival rate:     1 pps
>>>      Dropped:   5641705949          Max arrival rate: 858556 pps
>>>
>>>
>>> Does the tripping of IPv4-unclassified policer impact any control-plane traffic on the router that may have
>>> caused it to drop routing protocols?
>>>
>>> Aside from arp sponging out unused addresses, are there any best practices for MX routers to better protect
>>> the device against attacks targeting unused IPs on directly attached subnets?  Given that first gen Trio on
>>> this box should be able to handle 55 Mpps, it seems like this is odd or ddos-protection is policing
>>> something that it shouldn't have.  Customer port is 1GE on a 20x1G MIC card behind the QX chip side, but
>>> we're not doing any queueing on the box.
>>>
>>>
>>> Thanks,
>>> James
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> [SPDNET A.ŞLogo]<https://www.spd.net.tr/>
>>
>> Cahit Eyügünlü
>> SPDNET A.Ş
>> +908508409773
>> 75.Yıl Mahallesi 5301 Sokak No:24/A Yunusemre/MANİSA
>> [WebsiteGB]<https://www.spd.net.tr/>   [email] <mailto:cahit.eyigunlu at spd.net.tr>     [Twitter button] <hhttps://twitter.com/NetSpd>    [Facebook button] <https://www.facebook.com/SpdNetTR/>
>>
>>
>> Bu e-posta kişiye özel olup, gizli bilgiler içeriyor olabilir. Eğer bu e-posta size yanlışlıkla ulaşmışsa, içeriğini hiç bir şekilde kullanmayınız ve ekli dosyaları açmayınız. Bu e-posta virüslere karşı anti-virüs sistemleri tarafından taranmıştır. Ancak SPDNET, bu e-postanın - virüs koruma sistemleri ile kontrol ediliyor olsa bile - virüs içermediğini garanti etmez ve meydana gelebilecek zararlardan doğacak hiçbir sorumluluğu kabul etmez.
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
>--
>Regards,
>
>Mark L. Tees
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp
[SPDNET A.ŞLogo]<https://www.spd.net.tr/>

Cahit Eyügünlü
SPDNET A.Ş
+908508409773
75.Yıl Mahallesi 5301 Sokak No:24/A Yunusemre/MANİSA
[WebsiteGB]<https://www.spd.net.tr/>   [email] <mailto:cahit.eyigunlu at spd.net.tr>     [Twitter button] <hhttps://twitter.com/NetSpd>    [Facebook button] <https://www.facebook.com/SpdNetTR/>


Bu e-posta kişiye özel olup, gizli bilgiler içeriyor olabilir. Eğer bu e-posta size yanlışlıkla ulaşmışsa, içeriğini hiç bir şekilde kullanmayınız ve ekli dosyaları açmayınız. Bu e-posta virüslere karşı anti-virüs sistemleri tarafından taranmıştır. Ancak SPDNET, bu e-postanın - virüs koruma sistemleri ile kontrol ediliyor olsa bile - virüs içermediğini garanti etmez ve meydana gelebilecek zararlardan doğacak hiçbir sorumluluğu kabul etmez.

More information about the juniper-nsp mailing list