[j-nsp] DDoS Protection on MX204

Alexander Arseniev arseniev at btinternet.com
Sat Jan 5 03:00:33 EST 2019 

Hello,

Trio DDOS employs a hierarchy/chain of policers. Assuming flow detection 
is at default (and default==not configured), the first policer in a 
chain would be the FPC aggregate one, and it is 20Kpps by default.

Your 188K offered BGP traffic is therefore rate-limited OUT OF FPC to 
20Kpps.

And then RE aggregate policer kicks in, also at 20Kpps. Therefore, Your 
already-rate-limited BGP traffic is rate-limited second time with 
another 20Kpps policer and because of imperfect rate-limit by first FPC 
policer (instead of strictly 20Kpps it passed 22100 pps) the RE agg 
policer detected short-lived 1 sec violation.

As Saku mentioned, with default config the Trio DDOS is not doing much, 
You'd need to enable flow detection and then tune every single protocol 
policer in a chain because the default policers are either too generous 
or too strict.

Hope this makes sense

Thanks

Alex

On 04/01/2019 21:45, Jason Lixfeld wrote:
>
>> On Jan 4, 2019, at 3:06 PM, Jason Lixfeld <jason-jnsp at lixfeld.ca> wrote:
>>
>> Hi,
>>
>> Before I go too far down the rabbit hole of looking into the DDoS Protection parent feature on MX, does anyone know if it’s supported on MX204?
> So it’s a shallow rabbit hole; it’s enabled by default and after poking around with it a bit, it seems to be supported.
>
> But, I’m seeing behaviour that doesn’t quite compute.
>
> No RE filter configured, just the default DDoS protection.  Sending about 22k pps of bogus BGP packets.
>
> FPC is in violation, but RE isn’t.  Remaining BGP sessions are still up.
>
> jlixfeld at r# run show ddos-protection protocols bgp statistics
> Packet types: 1, Received traffic: 1, Currently violated: 1
> Protocol Group: BGP
>
>    Packet type: aggregate
>      System-wide information:
>        Aggregate bandwidth is being violated!
> 	No. of FPCs currently receiving excess traffic: 1
> 	No. of FPCs that have received excess traffic:  1
> 	Violation first detected at: 2019-01-04 16:13:28 EST
> 	Violation last seen at:      2019-01-04 16:32:51 EST
> 	Duration of violation: 00:19:23 Number of violations: 5
>        Received:  67923912            Arrival rate:     22925 pps
>        Dropped:   46234805            Max arrival rate: 190065 pps
>      Routing Engine information:
>        Aggregate policer is no longer being violated
> 	Last violation started at: 2019-01-04 16:13:33 EST
> 	Last violation ended at:   2019-01-04 16:13:34 EST
> 	Duration of last violation: 00:00:01 Number of violations: 1
>        Received:  21663099            Arrival rate:     19952 pps
>        Dropped:   0                   Max arrival rate: 22228 pps
> 	Dropped by individual policers: 0
> 	Dropped by aggregate policer:   0
>      FPC slot 0 information:
>        Aggregate policer is currently being violated!
> 	Violation first detected at: 2019-01-04 16:13:29 EST
> 	Violation last seen at:      2019-01-04 16:32:51 EST
> 	Duration of violation: 00:19:22 Number of violations: 4
>        Received:  67923912            Arrival rate:     22925 pps
>        Dropped:   46234805            Max arrival rate: 190065 pps
> 	Dropped by individual policers: 0
> 	Dropped by aggregate policer:   46234805
> 	Dropped by flow suppression:    0
>        Flow counts:
>          Aggregation level     Current       Total detected   State
>          Subscriber            0             0                Active
>
> [edit]
> jlixfeld at r#
>
> If I send 188k pps, RE is still not in violation, but BGP sessions die.
>
> jlixfeld at r# run show ddos-protection protocols bgp statistics
> Packet types: 1, Received traffic: 1, Currently violated: 1
> Protocol Group: BGP
>
>    Packet type: aggregate
>      System-wide information:
>        Aggregate bandwidth is being violated!
> 	No. of FPCs currently receiving excess traffic: 1
> 	No. of FPCs that have received excess traffic:  1
> 	Violation first detected at: 2019-01-04 16:13:28 EST
> 	Violation last seen at:      2019-01-04 16:24:13 EST
> 	Duration of violation: 00:10:45 Number of violations: 5
>        Received:  30565770            Arrival rate:     188433 pps
>        Dropped:   19208137            Max arrival rate: 189414 pps
>      Routing Engine information:
>        Aggregate policer is no longer being violated
> 	Last violation started at: 2019-01-04 16:13:33 EST
> 	Last violation ended at:   2019-01-04 16:13:34 EST
> 	Duration of last violation: 00:00:01 Number of violations: 1
>        Received:  11423775            Arrival rate:     19857 pps
>        Dropped:   0                   Max arrival rate: 22100 pps
> 	Dropped by individual policers: 0
> 	Dropped by aggregate policer:   0
>      FPC slot 0 information:
>        Aggregate policer is currently being violated!
> 	Violation first detected at: 2019-01-04 16:13:28 EST
> 	Violation last seen at:      2019-01-04 16:24:13 EST
> 	Duration of violation: 00:10:45 Number of violations: 4
>        Received:  30565770            Arrival rate:     188433 pps
>        Dropped:   19208137            Max arrival rate: 189414 pps
> 	Dropped by individual policers: 0
> 	Dropped by aggregate policer:   19208137
> 	Dropped by flow suppression:    0
>        Flow counts:
>          Aggregation level     Current       Total detected   State
>          Subscriber            0             0                Active
>
> [edit]
> jlixfeld at r#
>
> If the same policer is doing the same job whether it’s 22kpps or 188kpps, I’d expect no difference in the affects the different rates would have on the BGP session.
>
> Am I missing something?
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list