Re: [j-nsp] SRX3600 Problem
On 22/04/15 13:20, Farrukh Haroon wrote: Hi Cahit Your assumption about the order of operations seems to be wrong. If the screen is before the filter, then how come the pings are blocked before you start your attack script? Since your initial pings are blocked this means the filter is working (at least during normal loads).. It is more likely that your are either hitting a bug or the box is incapable of the DOS generated from your script (which is running on a high speed LAN network) and packets are getting slipped/missed from the filter and leaking to the screen check... Cahit sent me some information off-list which I encouraged him to re-post here so others can contribute. From what I understand, they're finding the screen options are not working, presumably because it's a DDoS and there are too many sources for source-based to work; and destination-based of course blocks the target victim. As such, they're trying to use IDS/IDP rules to block the traffic, but the box is falling over under the load. Cahit, is this correct? We've reached the limits of my experience; it sounds like a big DDoS, and stateful filtering may not be able to handle the load. It's probably a question for JTAC. Cheers, Phil ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX3600 Problem
Hi Cahit Your assumption about the order of operations seems to be wrong. If the screen is before the filter, then how come the pings are blocked before you start your attack script? Since your initial pings are blocked this means the filter is working (at least during normal loads).. It is more likely that your are either hitting a bug or the box is incapable of the DOS generated from your script (which is running on a high speed LAN network) and packets are getting slipped/missed from the filter and leaking to the screen check... Regards Farrukh On Wed, Apr 22, 2015 at 1:50 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 21/04/15 17:22, Cahit Eyigünlü wrote: We are getting a spoofed ip syn attack. When attack starts and over 100K pps our SRX3600 was losting the connection. And we check the status of the device over the Serial connection. But we could not determine why it has been dropped the connection What is the connection here? I don't understand your problem. If you don't have screen protections enabled then yes, 100kpps of spoofed syn will knock the box over. See for example: http://www.juniper.net/documentation/en_US/junos12.1/topics/concept/denial-of-service-network-syn-cookie-protection-understanding.html ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX3600 Problem
hi cahit have you enabled any screens on the interface under attack? regards farrukh On Tue, Apr 21, 2015 at 7:22 PM, Cahit Eyigünlü cahit.eyigu...@spd.net.tr wrote: We are getting a spoofed ip syn attack. When attack starts and over 100K pps our SRX3600 was losting the connection. And we check the status of the device over the Serial connection. But we could not determine why it has been dropped the connection Should somebody help us to over come this issue ? r...@srx3600.spd.net.tr show security flow cp-session summary Valid sessions: 141 Pending sessions: 621628 Invalidated sessions: 517864 Sessions in other states: 1 Total sessions: 1139634 Maximum sessions: 2359296 r...@srx3600.spd.net.tr show security monitoring fpc 12 FPC 12 PIC 0 CPU utilization : 44 % Memory utilization : 67 % Current flow session : 147286 Current flow session IPv4: 147286 Current flow session IPv6:0 Max flow session : 524288 Current CP session : 1074031 Current CP session IPv4: 1074031 Current CP session IPv6:0 Max CP session : 2359296 Total Session Creation Per Second (for last 96 seconds on average): 13 IPv4 Session Creation Per Second (for last 96 seconds on average): 13 IPv6 Session Creation Per Second (for last 96 seconds on average):0 r...@srx3600.spd.net.tr show chassis routing-engine Routing Engine status: Slot 0: Current state Master Election priority Master (default) DRAM 1023 MB Memory utilization 44 percent CPU utilization: User 0 percent Background 0 percent Kernel 5 percent Interrupt 0 percent Idle 95 percent Model RE-PPC-1200-A Start time 2015-04-15 02:06:10 UTC Uptime 4 days, 15 hours, 16 minutes, 29 seconds Last reboot reason Router rebooted after a normal shutdown. Load averages: 1 minute 5 minute 15 minute 0.14 0.07 0.11 r...@srx3600.spd.net.tr show security monitoring performance spu fpc 12 pic 0 Last 60 seconds: 0: 39 1: 45 2: 44 3: 40 4: 44 5: 40 6: 38 7: 46 8: 45 9: 39 10: 44 11: 39 12: 38 13: 45 14: 38 15: 45 16: 44 17: 39 18: 44 19: 39 20: 44 21: 40 22: 44 23: 39 24: 38 25: 45 26: 44 27: 40 28: 44 29: 40 30: 45 31: 40 32: 45 33: 41 34: 45 35: 39 36: 45 37: 39 38: 45 39: 39 40: 44 41: 39 42: 44 43: 39 44: 44 45: 39 46: 46 47: 39 48: 45 49: 39 50: 44 51: 39 52: 45 53: 39 54: 44 55: 39 56: 44 57: 39 58: 44 59: 39 r...@srx3600.spd.net.tr show security monitoring performance session fpc 12 pic 0 Last 60 seconds: 0: 127861 1: 146887 2: 130877 3: 147286 4: 134179 5: 145303 6: 133196 7: 144339 8: 132233 9: 143981 10: 130861 11: 143042 12: 131280 13: 142719 14: 130623 15: 142493 16: 132094 17: 143124 18: 132726 19: 143938 20: 133022 21: 143349 22: 133100 23: 143469 24: 134321 25: 143694 26: 137340 27: 145672 28: 141399 29: 145458 30: 145697 31: 146920 32: 144260 33: 145259 34: 141360 35: 142157 36: 137389 37: 140399 38: 136483 39: 139640 40: 136597 41: 139363 42: 139707 43: 143110 44: 140994 45: 143038 46: 139781 47: 141751 48: 136746 49: 139456 50: 137395 51: 139898 52: 137503 53: 140300 54: 136762 55: 139315 56: 136245 57: 138951 58: 136685 59: 139288 r...@srx3600.spd.net.tr show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis SRX 3600 Midplane REV 07 710-020310 SRX 3600 Midplane PEM 0rev 08 740-027644 AC Power Supply PEM 1rev 08 740-027644 AC Power Supply CB 0 REV 14 750-021914 SRX3k RE-12-10 Routing Engine BUILTIN BUILTIN Routing Engine CPP BUILTIN BUILTIN Central PFE Processor Mezz REV 08 710-021035 SRX HD Mezzanine Card FPC 0REV 16 750-021882 SRX3k SFB 12GE PIC 0 BUILTIN BUILTIN 8x 1GE-TX 4x 1GE-SFP FPC 1REV 20 750-020321 SRX3k 2x10GE XFP PIC 0 BUILTIN BUILTIN 2x 10GE-XFP Xcvr 0NON-JNPR XFP-10G-SR Xcvr 1NON-JNPR
[j-nsp] SRX3600 Problem
We are getting a spoofed ip syn attack. When attack starts and over 100K pps our SRX3600 was losting the connection. And we check the status of the device over the Serial connection. But we could not determine why it has been dropped the connection Should somebody help us to over come this issue ? r...@srx3600.spd.net.tr show security flow cp-session summary Valid sessions: 141 Pending sessions: 621628 Invalidated sessions: 517864 Sessions in other states: 1 Total sessions: 1139634 Maximum sessions: 2359296 r...@srx3600.spd.net.tr show security monitoring fpc 12 FPC 12 PIC 0 CPU utilization : 44 % Memory utilization : 67 % Current flow session : 147286 Current flow session IPv4: 147286 Current flow session IPv6:0 Max flow session : 524288 Current CP session : 1074031 Current CP session IPv4: 1074031 Current CP session IPv6:0 Max CP session : 2359296 Total Session Creation Per Second (for last 96 seconds on average): 13 IPv4 Session Creation Per Second (for last 96 seconds on average): 13 IPv6 Session Creation Per Second (for last 96 seconds on average):0 r...@srx3600.spd.net.tr show chassis routing-engine Routing Engine status: Slot 0: Current state Master Election priority Master (default) DRAM 1023 MB Memory utilization 44 percent CPU utilization: User 0 percent Background 0 percent Kernel 5 percent Interrupt 0 percent Idle 95 percent Model RE-PPC-1200-A Start time 2015-04-15 02:06:10 UTC Uptime 4 days, 15 hours, 16 minutes, 29 seconds Last reboot reason Router rebooted after a normal shutdown. Load averages: 1 minute 5 minute 15 minute 0.14 0.07 0.11 r...@srx3600.spd.net.tr show security monitoring performance spu fpc 12 pic 0 Last 60 seconds: 0: 39 1: 45 2: 44 3: 40 4: 44 5: 40 6: 38 7: 46 8: 45 9: 39 10: 44 11: 39 12: 38 13: 45 14: 38 15: 45 16: 44 17: 39 18: 44 19: 39 20: 44 21: 40 22: 44 23: 39 24: 38 25: 45 26: 44 27: 40 28: 44 29: 40 30: 45 31: 40 32: 45 33: 41 34: 45 35: 39 36: 45 37: 39 38: 45 39: 39 40: 44 41: 39 42: 44 43: 39 44: 44 45: 39 46: 46 47: 39 48: 45 49: 39 50: 44 51: 39 52: 45 53: 39 54: 44 55: 39 56: 44 57: 39 58: 44 59: 39 r...@srx3600.spd.net.tr show security monitoring performance session fpc 12 pic 0 Last 60 seconds: 0: 127861 1: 146887 2: 130877 3: 147286 4: 134179 5: 145303 6: 133196 7: 144339 8: 132233 9: 143981 10: 130861 11: 143042 12: 131280 13: 142719 14: 130623 15: 142493 16: 132094 17: 143124 18: 132726 19: 143938 20: 133022 21: 143349 22: 133100 23: 143469 24: 134321 25: 143694 26: 137340 27: 145672 28: 141399 29: 145458 30: 145697 31: 146920 32: 144260 33: 145259 34: 141360 35: 142157 36: 137389 37: 140399 38: 136483 39: 139640 40: 136597 41: 139363 42: 139707 43: 143110 44: 140994 45: 143038 46: 139781 47: 141751 48: 136746 49: 139456 50: 137395 51: 139898 52: 137503 53: 140300 54: 136762 55: 139315 56: 136245 57: 138951 58: 136685 59: 139288 r...@srx3600.spd.net.tr show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis SRX 3600 Midplane REV 07 710-020310 SRX 3600 Midplane PEM 0rev 08 740-027644 AC Power Supply PEM 1rev 08 740-027644 AC Power Supply CB 0 REV 14 750-021914 SRX3k RE-12-10 Routing Engine BUILTIN BUILTIN Routing Engine CPP BUILTIN BUILTIN Central PFE Processor Mezz REV 08 710-021035 SRX HD Mezzanine Card FPC 0REV 16 750-021882 SRX3k SFB 12GE PIC 0 BUILTIN BUILTIN 8x 1GE-TX 4x 1GE-SFP FPC 1REV 20 750-020321 SRX3k 2x10GE XFP PIC 0 BUILTIN BUILTIN 2x 10GE-XFP Xcvr 0NON-JNPR XFP-10G-SR Xcvr 1NON-JNPR XFP-10G-SR FPC 4REV 14 750-020321 SRX3k 2x10GE XFP PIC 0 BUILTIN BUILTIN 2x 10GE-XFP Xcvr 0NON-JNPR XFP-10G-SR Xcvr 1
