[j-nsp] Decoding DDOS messages

Jason Healy jhealy at logn.net
Wed Mar 18 15:31:50 EDT 2020 

Saku,

Thank you for your responses.  I'm trying to learn about this as I go...


On Mar 18, 2020, at 10:39 AM, Saku Ytti <saku at ytti.fi> wrote:
> 
> Your L2 should be in its virtual-switch/vpls (doesn't imply VPLS)
> instance with forwarding-plane filter policing BUM. But unrelatd to
> subject.

You might need to email me off-list for that one... I'm not sure if I'm following the theory on that.

>> IPMCAST-miss (lots of this one!)
> 
> Probably punts for programming flow, and subsequent will be HW
> switched. You may want to have ACL to drop all MCAST traffic at edge.
> This should be 0 if you don't actually run multicast.

We're applying an l2 filter at the vlan level to scrub all but well-known multicast on this switch.  Can it still get to the CPU even if blocked in this manner?  Or is the flow assignment done prior to l2 firewalling?

>> ARP
> 
> Self-explanatory? You shouldn't want to see this exceeded, ideally you
> should police this on IFD level, but I'm not sure if QFX5k can, MX
> can.

Assuming there is not malicious traffic, wouldn't exceeding this counter imply that the defaults are tuned too low?  We are a small school with ~1500 devices.  While we might get bursts of ARP traffic at peak times (like when students move between classes), I would be surprised if it was so high as to be a concern.

>> TTL
> 
> TTL exceeded message. Normal to hit this policer in uloops.

We're spoke-and-hub, static routing, so not expecting a lot of microloops due to convergence.  Possible we're seeing this from "lost" packets being misrouted to our ISP (then routed back).

>> Redirect
> 
> IP redirect, you probably want to disable them at network edge. This
> should be 0.

Is there an easy way to find/locate IP redirects?  I'm curious if these are sourced from our ISP.

>> L3MTU-fail
> 
> Egress MTU was too small for packet. It is punted for potentially ICMP
> message generation. Depending on config expected or unexpected.

We should be jumbo (9216) throughout, including uplink to our ISP.  Any way to narrow these down?

Thanks for all the replies, I'm starting to get a better idea on this.

Jason

More information about the juniper-nsp mailing list