[j-nsp] DDoS Protection on MX204

Saku Ytti saku at ytti.fi
Fri Jan 4 16:50:06 EST 2019 

I assume you'd see BGP down on the first example as well, just lower
probability to see down event.

Out of box ddos-protection isn't doing much useful, you need to
configure every protocol.

http://blog.ip.fi/2014/03/quick-look-at-trio-ddos-protection-with.html
may give some ideas how to start

On Fri, 4 Jan 2019 at 23:45, Jason Lixfeld <jason-jnsp at lixfeld.ca> wrote:
>
>
>
> > On Jan 4, 2019, at 3:06 PM, Jason Lixfeld <jason-jnsp at lixfeld.ca> wrote:
> >
> > Hi,
> >
> > Before I go too far down the rabbit hole of looking into the DDoS Protection parent feature on MX, does anyone know if it’s supported on MX204?
>
> So it’s a shallow rabbit hole; it’s enabled by default and after poking around with it a bit, it seems to be supported.
>
> But, I’m seeing behaviour that doesn’t quite compute.
>
> No RE filter configured, just the default DDoS protection.  Sending about 22k pps of bogus BGP packets.
>
> FPC is in violation, but RE isn’t.  Remaining BGP sessions are still up.
>
> jlixfeld at r# run show ddos-protection protocols bgp statistics
> Packet types: 1, Received traffic: 1, Currently violated: 1
> Protocol Group: BGP
>
>   Packet type: aggregate
>     System-wide information:
>       Aggregate bandwidth is being violated!
>         No. of FPCs currently receiving excess traffic: 1
>         No. of FPCs that have received excess traffic:  1
>         Violation first detected at: 2019-01-04 16:13:28 EST
>         Violation last seen at:      2019-01-04 16:32:51 EST
>         Duration of violation: 00:19:23 Number of violations: 5
>       Received:  67923912            Arrival rate:     22925 pps
>       Dropped:   46234805            Max arrival rate: 190065 pps
>     Routing Engine information:
>       Aggregate policer is no longer being violated
>         Last violation started at: 2019-01-04 16:13:33 EST
>         Last violation ended at:   2019-01-04 16:13:34 EST
>         Duration of last violation: 00:00:01 Number of violations: 1
>       Received:  21663099            Arrival rate:     19952 pps
>       Dropped:   0                   Max arrival rate: 22228 pps
>         Dropped by individual policers: 0
>         Dropped by aggregate policer:   0
>     FPC slot 0 information:
>       Aggregate policer is currently being violated!
>         Violation first detected at: 2019-01-04 16:13:29 EST
>         Violation last seen at:      2019-01-04 16:32:51 EST
>         Duration of violation: 00:19:22 Number of violations: 4
>       Received:  67923912            Arrival rate:     22925 pps
>       Dropped:   46234805            Max arrival rate: 190065 pps
>         Dropped by individual policers: 0
>         Dropped by aggregate policer:   46234805
>         Dropped by flow suppression:    0
>       Flow counts:
>         Aggregation level     Current       Total detected   State
>         Subscriber            0             0                Active
>
> [edit]
> jlixfeld at r#
>
> If I send 188k pps, RE is still not in violation, but BGP sessions die.
>
> jlixfeld at r# run show ddos-protection protocols bgp statistics
> Packet types: 1, Received traffic: 1, Currently violated: 1
> Protocol Group: BGP
>
>   Packet type: aggregate
>     System-wide information:
>       Aggregate bandwidth is being violated!
>         No. of FPCs currently receiving excess traffic: 1
>         No. of FPCs that have received excess traffic:  1
>         Violation first detected at: 2019-01-04 16:13:28 EST
>         Violation last seen at:      2019-01-04 16:24:13 EST
>         Duration of violation: 00:10:45 Number of violations: 5
>       Received:  30565770            Arrival rate:     188433 pps
>       Dropped:   19208137            Max arrival rate: 189414 pps
>     Routing Engine information:
>       Aggregate policer is no longer being violated
>         Last violation started at: 2019-01-04 16:13:33 EST
>         Last violation ended at:   2019-01-04 16:13:34 EST
>         Duration of last violation: 00:00:01 Number of violations: 1
>       Received:  11423775            Arrival rate:     19857 pps
>       Dropped:   0                   Max arrival rate: 22100 pps
>         Dropped by individual policers: 0
>         Dropped by aggregate policer:   0
>     FPC slot 0 information:
>       Aggregate policer is currently being violated!
>         Violation first detected at: 2019-01-04 16:13:28 EST
>         Violation last seen at:      2019-01-04 16:24:13 EST
>         Duration of violation: 00:10:45 Number of violations: 4
>       Received:  30565770            Arrival rate:     188433 pps
>       Dropped:   19208137            Max arrival rate: 189414 pps
>         Dropped by individual policers: 0
>         Dropped by aggregate policer:   19208137
>         Dropped by flow suppression:    0
>       Flow counts:
>         Aggregation level     Current       Total detected   State
>         Subscriber            0             0                Active
>
> [edit]
> jlixfeld at r#
>
> If the same policer is doing the same job whether it’s 22kpps or 188kpps, I’d expect no difference in the affects the different rates would have on the BGP session.
>
> Am I missing something?
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



-- 
  ++ytti

More information about the juniper-nsp mailing list