[j-nsp] Flowspec not filtering traffic.
Gustavo Santos
gustkiller at gmail.com
Sat Sep 17 10:41:58 EDT 2022
Hi Saku,
PS: Real ASN was changed to 65000 on the configuration snippet.
show route table inetflow.0 extensive
1x8.2x8.84.34,*,proto=17,port=0/term:7 (1 entry, 1 announced)
TSI:
KRT in dfwd;
Action(s): discard,count
Page 0 idx 0, (group KENTIK_FS type Internal) Type 1 val 0x63b7c098
(adv_entry)
Advertised metrics:
Flags: NoNexthop
Localpref: 100
AS path: [65000 I
Communities: traffic-rate:52873:0
Advertise: 00000001
Path 1x8.2x8.84.34,*,proto=17,port=0
Vector len 4. Val: 0
*Flow Preference: 5
Next hop type: Fictitious, Next hop index: 0
Address: 0x5214bfc
Next-hop reference count: 22
Next hop:
State: <Active SendNhToPFE>
Local AS: 52873
Age: 8w0d 20:30:33
Validation State: unverified
Task: RT Flow
Announcement bits (2): 0-Flow 1-BGP_RT_Background
AS path: I
Communities: traffic-rate:65000:0
show firewall
Filter: __flowspec_default_inet__
Counters:
Name Bytes
Packets
1x8.2x8.84.34,*,proto=17,port=0 19897391083
510189535
BGP Group
{master}[edit protocols bgp group KENTIK_FS]
type internal;
hold-time 720;
mtu-discovery;
family inet {
unicast;
flow {
no-validate flowspec-import;
}
}
}
Import policy
{master}[edit]
gustavo at MX10K3# edit policy-options policy-statement flowspec-import
{master}[edit policy-options policy-statement flowspec-import]
gustavo at MX10K3# show
term 1 {
then accept;
}
IP transit interface
{master}[edit interfaces ae0 unit 10]
gustavo at MX10K3# show
vlan-id 10;
family inet {
mtu 1500;
filter {
inactive: input ddos;
}
sampling {
input;
}
address x.x.x.x.x/31;
}
Em sáb., 17 de set. de 2022 às 03:00, Saku Ytti <saku at ytti.fi> escreveu:
> Can you provide some output.
>
> Like 'show route table inetflow.0 extensive' and config.
>
> On Sat, 17 Sept 2022 at 05:05, Gustavo Santos via juniper-nsp
> <juniper-nsp at puck.nether.net> wrote:
> >
> > Hi,
> >
> > We have noticed that flowspec is not working or filtering as expected.
> > Trying a DDoS detection and rule generator tool, and we noticed that the
> > flowspec rule is installed,
> > the filter counter is increasing , but no filtering at all.
> >
> > For example DDoS traffic from source port UDP port 123 is coming from an
> > Internet Transit
> > facing interface AE0.
> > The destination of this traffic is to a customer Interface ET-0/0/10.
> >
> > Even with all information and "show" commands confirming that the traffic
> > has been filtered, customer and snmp and netflow from the customer facing
> > interface is showing that the "filtered" traffic is hitting the
> destination.
> >
> > Is there any caveat or limitation or anyone hit this issue? I tried this
> > with two MX10003 routers one with 19.R3-xxx and the other one with 20.4R3
> > junos branch.
> >
> > Regards.
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> --
> ++ytti
>
More information about the juniper-nsp
mailing list