[j-nsp] ddos protocol protection - IPv4-unclassified

Saku Ytti saku at ytti.fi
Mon Apr 10 08:06:13 EDT 2017 

On 10 April 2017 at 09:49, Mark Tees <marktees at gmail.com> wrote:

Hey,

> Ytti will probably pop up and comment on this but we have

As summoned.

> flow-detection configured under global for ddos-protection which
> create flows then actions when under DDOS like conditions rather than
> hitting static policers. Only after we enabled flow-detection did we
> start surviving those conditions.

> https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-scfd-overview.html
> http://blog.ip.fi/2014/03/quick-look-at-trio-ddos-protection-with.html

Yeah essentially the path is

wire => port filter => lo0 filter => ddos protection => npu2lc_cpu
magic policer => lc_cpu => re_cpu

You can't change the NPU 2 LC_CPU magic policer, so you really don't
want to congest it, it seems to be quite low pps limitter. I would not
dimension anything over 10kpps in ddos-protection.

When it comes to ddos-protection, it's bit annoying you cannot
configure default values for all protocols. This means you manually
need to configure each and every protocol there is, which means very
long ddos-protection config. My recommendation is

a) enable flow detection
b) disable sub-level detection, unless you know you can use it (we
only have 5k HW policers, UDP/TCP attacker using 5k SPORT can congest
all of them)
c) classify all protocols to one of three groups a) critical (if down,
there is outage) b) used (we use this, but if it's congested, it's not
actual outage) c) unused (we don't use this protocol at all).  Maybe
have aggregate level of 10kpps for critical, 1k pps for used and 10pps
for unused
d) have much smaller IFL level pps

The rationale is, it is ok to get your aggregate level violated. Like
say you have two BGP customers, one of them has L2 loop and gives you
1.48Mpps of BGP packets, your aggregate 10kpps BGP policer will get
congested, system will figure out offending IFL and program more
specific IFL policer for the offending interface, keeping rest of the
BGP in the aggregate policer.

Time to figure out congested policer and program more specific policer
is non-zero, so you might want to set some protocols with bounded
count to be statically detected to IFL level. Like BGP you may want to
preprogram IFL level policers always, provided you won't have more
than 1-2k BGP sessions.

Of course having well configured ddos-protection does not mean you
don't need good lo0 filter, they just serve different role. Lo0 is to
discriminate good and bad, ddos-protection is to protect one good from
another (misbehaving) good.

In my experience Juniper is only vendor on the market which delivers
tools to protect the system from attackers, it's just quite
complicated to configure. IOS-XR cannot be configured correctly, but
out-of-the-box it's vastly better protected than JunOS (on platforms
where IOS-XR has LPTS, which is not all IOS-XR platforms...).
I assume most Juniper networks can be broken by single DSL user.



-- 
  ++ytti

More information about the juniper-nsp mailing list