[j-nsp] ddos protocol protection - IPv4-unclassified

adamv0025 at netconsultings.com adamv0025 at netconsultings.com
Tue Apr 11 05:14:07 EDT 2017


> Saku Ytti [mailto:saku at ytti.fi]
> Sent: Monday, April 10, 2017 11:37 PM
> 
> Some problems with LPTS
> 
> a) LPTS punted packets are not subject to MQC, so you cannot use interface
> policers to limit say say ICMP, BGP etc
Yeah this is a huge mess up, taking the control away and not providing same level of granularity in LPTS.  

> b) LPTS only has 'aggregate' (NPU) level policing, ddos-protection has
> aggregate => ifd => ifl => sub
I don't really see a need for hierarchical policers and besides the uKernel and RE policers are SW, only the LU has HW policer. 

> c) There is no log information of what is causing LPTS or XIPC to drop packets
> 
Not sure what you mean you're getting no info or insufficient info? Cause although native LPTS alerting doesn't exist it can be done with a TCL script applied through EEM. 


> All this means, for example if you have 'bad' and 'good' customer sending
> you say BGP (or ICMP6, or what ever). Maybe 'bad' customer has
> L2 loop, and accidentally offers line rate of BGP. This means that your
> aggregate BGP policer, BGP-known @ 2500pps is congested. If your 'good'
> BGP is say 5pps and your 'bad' BGP is say 1.48Mpps, there is 99.5% probability
> that any given BGP through that NPU will time out (1-(2500.0/1480010))**3).
> 
Actually in this specific case I'm just thinking wouldn't the looped BGP session be subject to a more aggressive "Configured" policer as opposed to the "Established" policer.  
Hmm but even if it was, the session would have to time-out first so during the timeout period the "good" session could be affected/starved out.   


> If you manage to identify the culprit somehow (perhaps capturing NPU
> counters), only thing you can do is add ACL to the offending interface
> dropping all BGP packets, as ACL is subject to LPTS punted packets, even
> though MQC is not. For obviously you cannot do this as pre-emptive
> measure, so there is no proactive way to actually protect the box today.
Yeah that's a bummer.
But I think I read somewhere that there's a plan to introduce policing for ACL in XR, or something along those lines, but can't find it anywhere. 

adam


netconsultings.com
::carrier-class solutions for the telecommunications industry::



More information about the juniper-nsp mailing list