[j-nsp] DDoS Protection on MX204
Jason Lixfeld
jason-jnsp at lixfeld.ca
Fri Jan 4 16:45:05 EST 2019
> On Jan 4, 2019, at 3:06 PM, Jason Lixfeld <jason-jnsp at lixfeld.ca> wrote:
>
> Hi,
>
> Before I go too far down the rabbit hole of looking into the DDoS Protection parent feature on MX, does anyone know if it’s supported on MX204?
So it’s a shallow rabbit hole; it’s enabled by default and after poking around with it a bit, it seems to be supported.
But, I’m seeing behaviour that doesn’t quite compute.
No RE filter configured, just the default DDoS protection. Sending about 22k pps of bogus BGP packets.
FPC is in violation, but RE isn’t. Remaining BGP sessions are still up.
jlixfeld at r# run show ddos-protection protocols bgp statistics
Packet types: 1, Received traffic: 1, Currently violated: 1
Protocol Group: BGP
Packet type: aggregate
System-wide information:
Aggregate bandwidth is being violated!
No. of FPCs currently receiving excess traffic: 1
No. of FPCs that have received excess traffic: 1
Violation first detected at: 2019-01-04 16:13:28 EST
Violation last seen at: 2019-01-04 16:32:51 EST
Duration of violation: 00:19:23 Number of violations: 5
Received: 67923912 Arrival rate: 22925 pps
Dropped: 46234805 Max arrival rate: 190065 pps
Routing Engine information:
Aggregate policer is no longer being violated
Last violation started at: 2019-01-04 16:13:33 EST
Last violation ended at: 2019-01-04 16:13:34 EST
Duration of last violation: 00:00:01 Number of violations: 1
Received: 21663099 Arrival rate: 19952 pps
Dropped: 0 Max arrival rate: 22228 pps
Dropped by individual policers: 0
Dropped by aggregate policer: 0
FPC slot 0 information:
Aggregate policer is currently being violated!
Violation first detected at: 2019-01-04 16:13:29 EST
Violation last seen at: 2019-01-04 16:32:51 EST
Duration of violation: 00:19:22 Number of violations: 4
Received: 67923912 Arrival rate: 22925 pps
Dropped: 46234805 Max arrival rate: 190065 pps
Dropped by individual policers: 0
Dropped by aggregate policer: 46234805
Dropped by flow suppression: 0
Flow counts:
Aggregation level Current Total detected State
Subscriber 0 0 Active
[edit]
jlixfeld at r#
If I send 188k pps, RE is still not in violation, but BGP sessions die.
jlixfeld at r# run show ddos-protection protocols bgp statistics
Packet types: 1, Received traffic: 1, Currently violated: 1
Protocol Group: BGP
Packet type: aggregate
System-wide information:
Aggregate bandwidth is being violated!
No. of FPCs currently receiving excess traffic: 1
No. of FPCs that have received excess traffic: 1
Violation first detected at: 2019-01-04 16:13:28 EST
Violation last seen at: 2019-01-04 16:24:13 EST
Duration of violation: 00:10:45 Number of violations: 5
Received: 30565770 Arrival rate: 188433 pps
Dropped: 19208137 Max arrival rate: 189414 pps
Routing Engine information:
Aggregate policer is no longer being violated
Last violation started at: 2019-01-04 16:13:33 EST
Last violation ended at: 2019-01-04 16:13:34 EST
Duration of last violation: 00:00:01 Number of violations: 1
Received: 11423775 Arrival rate: 19857 pps
Dropped: 0 Max arrival rate: 22100 pps
Dropped by individual policers: 0
Dropped by aggregate policer: 0
FPC slot 0 information:
Aggregate policer is currently being violated!
Violation first detected at: 2019-01-04 16:13:28 EST
Violation last seen at: 2019-01-04 16:24:13 EST
Duration of violation: 00:10:45 Number of violations: 4
Received: 30565770 Arrival rate: 188433 pps
Dropped: 19208137 Max arrival rate: 189414 pps
Dropped by individual policers: 0
Dropped by aggregate policer: 19208137
Dropped by flow suppression: 0
Flow counts:
Aggregation level Current Total detected State
Subscriber 0 0 Active
[edit]
jlixfeld at r#
If the same policer is doing the same job whether it’s 22kpps or 188kpps, I’d expect no difference in the affects the different rates would have on the BGP session.
Am I missing something?
More information about the juniper-nsp
mailing list