[j-nsp] ddos protocol protection - IPv4-unclassified

[adamv0025 at netconsultings.com]

> James Jun
> Sent: Monday, April 10, 2017 7:17 AM
> 
> Hello Folks,
> 
> We had a strange DoS attack against a customer attached to an MX104 router
> that caused the device to completely stop forwarding all legitimate
traffic
> (routing protocols both igp and bgp timed out across all adjacencies and
> sessions).
> 
> The attack traffic was roughly 5.9 Gbps and it was 9.5 million packets per
> second, mostly mix of tcp syn and non-init frags, etc.  It was coming from
a
> single source IP, but targeting random IPv4 addresses inside a directly
> attached customer /23, where many of the destination targets were unused
> addresses on customer's network (no arp entry).
> 
> During the event, I saw IPv4-unclassified protocol group getting rate
limited
> by ddos-protection, where aggregate policer kicked in at 858k pps:
> 
>       Received:  5659052312          Arrival rate:     1 pps
>       Dropped:   5641705949          Max arrival rate: 858556 pps
> 
> 
> Does the tripping of IPv4-unclassified policer impact any control-plane
traffic
> on the router that may have caused it to drop routing protocols?
> 
> Aside from arp sponging out unused addresses, are there any best practices
> for MX routers to better protect the device against attacks targeting
unused
> IPs on directly attached subnets?  Given that first gen Trio on this box
should
> be able to handle 55 Mpps, it seems like this is odd or ddos-protection is
> policing something that it shouldn't have.  Customer port is 1GE on a
20x1G
> MIC card behind the QX chip side, but we're not doing any queueing on the
> box.

That's a correct configuration, 20Gbps in and 20Gbps out is maximum
throughput on a 1st gen Trio if QX chip is not explicitly disabled.
Default pps rates on DDoS protection are too high you need to tune them in
order to gain actual protection. 

adam

netconsultings.com
::carrier-class solutions for the telecommunications industry::