Re: [j-nsp] Juniper SRX3600 have a bug i think
On 15/05/15 20:27, Cahit Eyigünlü wrote: root show security monitoring performance This came across mangled for me; all wrapped into one line, so unreadable. SRX start dropping packets after 500k pps of the udp attack. That sounds about right. The 3600 spec sheet claims ~270k sessions/sec for TCP 3-way handshakes. So, I'd expect the policy inspection speed to be about that, so 500k PPS UDP seems about right for the box to fall over, for relatively unique 5-tuples. Firewalls are not routers. They don't perform well in this kind of scenario, IME. We can not use threshold limit because it drops the real connections too while under attack. What is threshold limit. Do you mean the screen options? we cannot use session limit because the attack does not create session Do you mean that you have a deny policy, hence no sessions? Or you have a permit policy, but the session isn't being created for some other reason? The solution to your problem will depend on what the traffic looks like. What does the distribution of source and dest IP/port look like in your UDP flood? You could consider using S/RTBH in front of the firewall, driven by something like netflow/sflow; have a router eat the traffic statelessly before it hits the expensive stateful processing. We actually use the screen function in logging-only mode, and process the logs in realtime to do trigger S/RTBH. This allows us to whitelist some stuff that tends to false-positive the screens, as well as implement better timeout/backoff behaviour, while still using the SRX to do the counting. TBH you haven't really given enough information. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Juniper SRX3600 have a bug i think
We have an SRX 3600 with 3x spc and 1xnpc and detailed configuration as given below : root show chassis hardware Hardware inventory: Item Version Part number Serial number Description ChassisAB4209AA0014 SRX 3600 Midplane REV 07 710-020310 AAAV0320 SRX 3600 Midplane PEM 0rev 08 740-027644 G087FD002R08P AC Power Supply PEM 1rev 08 740-027644 G087FE004B08P AC Power Supply CB 0 REV 14 750-021914 AAAV0881 SRX3k RE-12-10 Routing Engine BUILTIN BUILTIN Routing Engine CPP BUILTIN BUILTIN Central PFE Processor Mezz REV 08 710-021035 AAAN7843 SRX HD Mezzanine Card FPC 0REV 16 750-021882 AADE3908 SRX3k SFB 12GE PIC 0 BUILTIN BUILTIN 8x 1GE-TX 4x 1GE-SFP FPC 1REV 20 750-020321 AAFE5669 SRX3k 2x10GE XFP PIC 0 BUILTIN BUILTIN 2x 10GE-XFP Xcvr 0NON-JNPR T09L21440 XFP-10G-SR Xcvr 1NON-JNPR T09L21452 XFP-10G-SR FPC 4REV 14 750-020321 AAAV0984 SRX3k 2x10GE XFP PIC 0 BUILTIN BUILTIN 2x 10GE-XFP Xcvr 0NON-JNPR T09L21443 XFP-10G-SR Xcvr 1NON-JNPR T09L21436 XFP-10G-SR FPC 7REV 13 750-016077 AADC9162 SRX3k SPC PIC 0 BUILTIN BUILTIN SPU Cp-Flow FPC 10 REV 19 750-017866 AABZ0103 SRX3k NPC PIC 0 BUILTIN BUILTIN NPC PIC FPC 11 REV 16 750-016077 AAEA6880 SRX3k SPC PIC 0 BUILTIN BUILTIN SPU Flow FPC 12 REV 13 750-016077 AADC9166 SRX3k SPC PIC 0 BUILTIN BUILTIN SPU Flow Fan Tray 0 REV 06 750-021599 AAAM4505 SRX 3600 Fan Tray We have a test lab and we are sending an UDP flood traffic from untrust zone to trusted zone Real ip address -- 1G port Ex4200 10G port - Untrust SRX Zone -- Trust SRX zone 10G port Ex4200 Switch 1G port--- Server Attack script is sending 29 byte UDP packets (1 byte data length.) And we realize that NPC does not distribute connections in this situation and SPC 7 (which works in combo mode ) start dropping packets while other spc's are empty root show security monitoring performance spu fpc 7 pic 0 Last 60 seconds: 0: 25 1: 26 2: 27 3: 26 4: 26 5: 27 6: 27 7: 27 8: 27 9: 27 10: 27 11: 27 12: 67 13: 67 14: 67 15: 67 16: 33 17: 25 18: 24 19: 27 20: 22 21: 21 22: 27 23: 27 24: 26 25: 16 26: 19 27: 40 28: 68 29: 63 30: 66 31: 68 32: 67 33: 65 34: 68 35: 65 36: 66 37: 67 38: 63 39: 27 40: 27 41: 27 42: 27 43: 27 44: 27 45: 27 46: 27 47: 27 48: 27 49: 27 50: 27 51: 40 52: 42 53: 42 54: 42 55: 41 56: 41 57: 42 58: 36 59: 27 fpc 11 pic 0 Last 60 seconds: 0: 0 1: 0 2: 0 3: 0 4: 14 5: 49 6: 51 7: 51 8: 50 9: 50 10: 51 11: 51 12: 34 13: 0 14: 0 15: 0 16: 0 17: 0 18: 0 19: 0 20: 14 21: 40 22: 44 23: 50 24: 50 25: 38 26: 37 27: 41 28: 30 29: 0 30: 0 31: 0 32: 0 33: 0 34: 0 35: 0 36: 0 37: 0 38: 0 39: 0 40: 0 41: 0 42: 0 43: 0 44: 0 45: 2 46: 27 47: 27 48: 29 49: 29 50: 30 51: 29 52: 20 53: 0 54: 0 55: 0 56: 0 57: 0 58: 0 59: 0 fpc 12 pic 0 Last 60 seconds: 0: 47 1: 48 2: 50 3: 48 4: 3 5: 0 6: 0 7: 0 8: 0 9: 0 10: 0 11: 0 12: 0 13: 0 14: 0 15: 0 16: 38 17: 49 18: 45 19: 50 20: 3 21: 0 22: 0 23: 0 24: 0 25: 0 26: 0 27: 0 28: 0 29: 0 30: 0 31: 0 32: 0 33: 0 34: 0 35: 0 36: 0 37: 0 38: 0 39: 0 40: 47 41: 50 42: 50 43: 50 44: 50 45: 32 46: 24 47: 23 48: 22 49: 22 50: 22 51: 22 52: 23 53: 22 54: 21 55: 21 56: 22 57: 21 58: 18 59: 20 root show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis AB4209AA0014 SRX 3600 Midplane REV 07 710-020310 AAAV0320 SRX 3600 Midplane PEM 0 rev 08 740-027644 G087FD002R08P AC Power Supply PEM 1 rev 08 740-027644 G087FE004B08P AC Power Supply CB 0 REV 14 750-021914 AAAV0881 SRX3k RE-12-10 Routing Engine BUILTIN BUILTIN Routing Engine CPP BUILTIN BUILTIN Central PFE Processor Mezz REV 08 710-021035 AAAN7843 SRX HD Mezzanine Card FPC 0 REV 16 750-021882 AADE3908 SRX3k SFB 12GE PIC 0 BUILTIN BUILTIN 8x 1GE-TX 4x 1GE-SFP FPC 1 REV 20 750-020321 AAFE5669 SRX3k 2x10GE XFP PIC 0 BUILTIN BUILTIN 2x 10GE-XFP Xcvr 0 NON-JNPR T09L21440 XFP-10G-SR Xcvr 1 NON-JNPR T09L21452 XFP-10G-SR FPC 4 REV 14 750-020321 AAAV0984 SRX3k 2x10GE XFP PIC 0 BUILTIN BUILTIN 2x 10GE-XFP Xcvr 0 NON-JNPR T09L21443 XFP-10G-SR Xcvr 1 NON-JNPR T09L21436 XFP-10G-SR FPC 7 REV 13 750-016077 AADC9162 SRX3k SPC PIC 0 BUILTIN BUILTIN SPU Cp-Flow FPC 10 REV 19 750-017866 AABZ0103 SRX3k NPC PIC 0 BUILTIN BUILTIN NPC PIC FPC 11 REV 16