[j-nsp] Flowspec not filtering traffic.
Saku Ytti
saku at ytti.fi
Sun Sep 18 02:39:19 EDT 2022
Are you exceeding the configured rate for the policer? Did you expect
to drop at any rate? The rule sets a non-0 policing rate.
On Sat, 17 Sept 2022 at 17:42, Gustavo Santos <gustkiller at gmail.com> wrote:
>
> Hi Saku,
>
> PS: Real ASN was changed to 65000 on the configuration snippet.
>
>
>
> show route table inetflow.0 extensive
>
> 1x8.2x8.84.34,*,proto=17,port=0/term:7 (1 entry, 1 announced)
> TSI:
> KRT in dfwd;
> Action(s): discard,count
> Page 0 idx 0, (group KENTIK_FS type Internal) Type 1 val 0x63b7c098 (adv_entry)
> Advertised metrics:
> Flags: NoNexthop
> Localpref: 100
> AS path: [65000 I
> Communities: traffic-rate:52873:0
> Advertise: 00000001
> Path 1x8.2x8.84.34,*,proto=17,port=0
> Vector len 4. Val: 0
> *Flow Preference: 5
> Next hop type: Fictitious, Next hop index: 0
> Address: 0x5214bfc
> Next-hop reference count: 22
> Next hop:
> State: <Active SendNhToPFE>
> Local AS: 52873
> Age: 8w0d 20:30:33
> Validation State: unverified
> Task: RT Flow
> Announcement bits (2): 0-Flow 1-BGP_RT_Background
> AS path: I
> Communities: traffic-rate:65000:0
>
> show firewall
>
> Filter: __flowspec_default_inet__
> Counters:
> Name Bytes Packets
> 1x8.2x8.84.34,*,proto=17,port=0 19897391083 510189535
>
>
> BGP Group
>
> {master}[edit protocols bgp group KENTIK_FS]
> type internal;
> hold-time 720;
> mtu-discovery;
> family inet {
> unicast;
> flow {
> no-validate flowspec-import;
> }
> }
> }
>
>
>
> Import policy
> {master}[edit]
> gustavo at MX10K3# edit policy-options policy-statement flowspec-import
>
> {master}[edit policy-options policy-statement flowspec-import]
> gustavo at MX10K3# show
> term 1 {
> then accept;
> }
>
> IP transit interface
>
> {master}[edit interfaces ae0 unit 10]
> gustavo at MX10K3# show
> vlan-id 10;
> family inet {
> mtu 1500;
> filter {
> inactive: input ddos;
> }
> sampling {
> input;
> }
> address x.x.x.x.x/31;
> }
>
>
> Em sáb., 17 de set. de 2022 às 03:00, Saku Ytti <saku at ytti.fi> escreveu:
>>
>> Can you provide some output.
>>
>> Like 'show route table inetflow.0 extensive' and config.
>>
>> On Sat, 17 Sept 2022 at 05:05, Gustavo Santos via juniper-nsp
>> <juniper-nsp at puck.nether.net> wrote:
>> >
>> > Hi,
>> >
>> > We have noticed that flowspec is not working or filtering as expected.
>> > Trying a DDoS detection and rule generator tool, and we noticed that the
>> > flowspec rule is installed,
>> > the filter counter is increasing , but no filtering at all.
>> >
>> > For example DDoS traffic from source port UDP port 123 is coming from an
>> > Internet Transit
>> > facing interface AE0.
>> > The destination of this traffic is to a customer Interface ET-0/0/10.
>> >
>> > Even with all information and "show" commands confirming that the traffic
>> > has been filtered, customer and snmp and netflow from the customer facing
>> > interface is showing that the "filtered" traffic is hitting the destination.
>> >
>> > Is there any caveat or limitation or anyone hit this issue? I tried this
>> > with two MX10003 routers one with 19.R3-xxx and the other one with 20.4R3
>> > junos branch.
>> >
>> > Regards.
>> > _______________________________________________
>> > juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>>
>> --
>> ++ytti
--
++ytti
More information about the juniper-nsp
mailing list