[j-nsp] DDoS Protection on MX204

Jason Lixfeld jason-jnsp at lixfeld.ca
Fri Jan 4 16:45:05 EST 2019



> On Jan 4, 2019, at 3:06 PM, Jason Lixfeld <jason-jnsp at lixfeld.ca> wrote:
> 
> Hi,
> 
> Before I go too far down the rabbit hole of looking into the DDoS Protection parent feature on MX, does anyone know if it’s supported on MX204?

So it’s a shallow rabbit hole; it’s enabled by default and after poking around with it a bit, it seems to be supported.

But, I’m seeing behaviour that doesn’t quite compute.

No RE filter configured, just the default DDoS protection.  Sending about 22k pps of bogus BGP packets.

FPC is in violation, but RE isn’t.  Remaining BGP sessions are still up.

jlixfeld at r# run show ddos-protection protocols bgp statistics
Packet types: 1, Received traffic: 1, Currently violated: 1
Protocol Group: BGP

  Packet type: aggregate
    System-wide information:
      Aggregate bandwidth is being violated!
	No. of FPCs currently receiving excess traffic: 1
	No. of FPCs that have received excess traffic:  1
	Violation first detected at: 2019-01-04 16:13:28 EST
	Violation last seen at:      2019-01-04 16:32:51 EST
	Duration of violation: 00:19:23 Number of violations: 5
      Received:  67923912            Arrival rate:     22925 pps
      Dropped:   46234805            Max arrival rate: 190065 pps
    Routing Engine information:
      Aggregate policer is no longer being violated
	Last violation started at: 2019-01-04 16:13:33 EST
	Last violation ended at:   2019-01-04 16:13:34 EST
	Duration of last violation: 00:00:01 Number of violations: 1
      Received:  21663099            Arrival rate:     19952 pps
      Dropped:   0                   Max arrival rate: 22228 pps
	Dropped by individual policers: 0
	Dropped by aggregate policer:   0
    FPC slot 0 information:
      Aggregate policer is currently being violated!
	Violation first detected at: 2019-01-04 16:13:29 EST
	Violation last seen at:      2019-01-04 16:32:51 EST
	Duration of violation: 00:19:22 Number of violations: 4
      Received:  67923912            Arrival rate:     22925 pps
      Dropped:   46234805            Max arrival rate: 190065 pps
	Dropped by individual policers: 0
	Dropped by aggregate policer:   46234805
	Dropped by flow suppression:    0
      Flow counts:
        Aggregation level     Current       Total detected   State
        Subscriber            0             0                Active

[edit]
jlixfeld at r#

If I send 188k pps, RE is still not in violation, but BGP sessions die.

jlixfeld at r# run show ddos-protection protocols bgp statistics
Packet types: 1, Received traffic: 1, Currently violated: 1
Protocol Group: BGP

  Packet type: aggregate
    System-wide information:
      Aggregate bandwidth is being violated!
	No. of FPCs currently receiving excess traffic: 1
	No. of FPCs that have received excess traffic:  1
	Violation first detected at: 2019-01-04 16:13:28 EST
	Violation last seen at:      2019-01-04 16:24:13 EST
	Duration of violation: 00:10:45 Number of violations: 5
      Received:  30565770            Arrival rate:     188433 pps
      Dropped:   19208137            Max arrival rate: 189414 pps
    Routing Engine information:
      Aggregate policer is no longer being violated
	Last violation started at: 2019-01-04 16:13:33 EST
	Last violation ended at:   2019-01-04 16:13:34 EST
	Duration of last violation: 00:00:01 Number of violations: 1
      Received:  11423775            Arrival rate:     19857 pps
      Dropped:   0                   Max arrival rate: 22100 pps
	Dropped by individual policers: 0
	Dropped by aggregate policer:   0
    FPC slot 0 information:
      Aggregate policer is currently being violated!
	Violation first detected at: 2019-01-04 16:13:28 EST
	Violation last seen at:      2019-01-04 16:24:13 EST
	Duration of violation: 00:10:45 Number of violations: 4
      Received:  30565770            Arrival rate:     188433 pps
      Dropped:   19208137            Max arrival rate: 189414 pps
	Dropped by individual policers: 0
	Dropped by aggregate policer:   19208137
	Dropped by flow suppression:    0
      Flow counts:
        Aggregation level     Current       Total detected   State
        Subscriber            0             0                Active

[edit]
jlixfeld at r#

If the same policer is doing the same job whether it’s 22kpps or 188kpps, I’d expect no difference in the affects the different rates would have on the BGP session.

Am I missing something?


More information about the juniper-nsp mailing list