Re: [j-nsp] Paid: need small M7i config snippet (policer)

Tarique A. Nalkhande - BMC Mon, 18 Apr 2011 23:41:43 -0700

Markus,

The percentage of UDP traffic can vary from less than 5 percent to more than 50 
percent of network traffic. After establishing a baseline, you can decide if it 
is necessary to rate-limit UDP to preserve bandwidth for other protocols.


For establishing the above baseline, counters should be implemented on routers 
to count UDP packets traversing the network. By comparing these counters with 
the total number of packets seen, you can derive a percentage of total packets 
and bandwidth

set firewall filter <ur existing filter> term udp from protocol udp
set firewall filter <ur existing filter> term udp from destination-port <>
set firewall filter <ur existing filter> term udp then count udp-traffic

Just add the above term in ur existing input filter facing upstream providers 
in order to derive the % UDP traffic for setting the threshold (if required). 
{you may need to monitor it for couple of days to get the maximum average 
value}. You can infact even poll this counter in ur Cacti/MRTG to get a 
pictorial view of min/avg/max value of it.

Regarding rate-limiting UDP traffic on lo0.0, it depend on your setup & 
protocols you are running like SNMP, DNS, NTP, LDP & so on... IMHO rather than 
rate-limiting a more feasible approach would be to define a trusted 
source-prefix for all UDP traffic meant for the router.

Ex: 

set firewall family inet filter Loopback-Filter term DNS from source-address 
<DNS IP>
set firewall family inet filter Loopback-Filter term DNS from protocol udp
set firewall family inet filter Loopback-Filter term DNS from source-port 53
set firewall family inet filter Loopback-Filter term DNS then accept

set firewall family inet filter Loopback-Filter term LDP from source-address 
<Internal Subnets used for LDP>
set firewall family inet filter Loopback-Filter term LDP from protocol udp
set firewall family inet filter Loopback-Filter term LDP from protocol tcp
set firewall family inet filter Loopback-Filter term LDP from port ldp
set firewall family inet filter Loopback-Filter term LDP then accept

Hope it helps! 


Thanks & Regards
Tarique Abbas Nalkhande



-----Original Message-----
From: [email protected] 
[mailto:[email protected]] On Behalf Of Markus
Sent: 19 April, 2011 3:34 AM
To: [email protected]
Subject: [j-nsp] Paid: need small M7i config snippet (policer)

Hi,

I have a M7i and some customers are attracting DDoS attacks (UDP packet
floods) causing some 100 Mbps switches in the LAN to sature and, in case
of large DDoSes, sometimes also the upstream links. This is not good. :)  
 Therefore I'd like to implement the following:

UDP throughput coming in from the internet to a specific local IP address
(or subnet) should never exceed 50 Mbps.

And to protect the RE: UDP throughput to the router itself should never
exceed n Mbps (what's a good value?).

I have no lab router to mess around with so I would like to request a
config snippet that just works. I'm offering money (PayPal, CC, wire) for
the person or company who is willing to do that.

You can get in touch with me off-list.

Thank you!
Markus

PS:

Item             Version  Part number  Serial number     Description
Chassis                                36947             M7i
Midplane         REV 04   710-008761   CK5276            M7i Midplane
Power Supply 0   Rev 05   740-008537   5218978           AC Power Supply
Power Supply 1   Rev 05   740-008537   5240260           AC Power Supply
Routing Engine   REV 06   740-011202   1000691275        RE-850
CFEB             REV 04   750-010463   CK3066            Internet
Processor II
FPC 0                                                    E-FPC
  PIC 0          REV 07   750-010238   CL0382            1x G/E SFP, 1000
BASE
    SFP 0        REV 01   740-013111   51231147          SFP-T
FPC 1                                                    E-FPC
  PIC 2                   BUILTIN      BUILTIN           1x Tunnel
  PIC 3          REV 06   750-009099   CK8663            1x G/E, 1000 BASE
    SFP 0        REV 01   740-013111   51231161          SFP-T

--- JUNOS 8.0R2.8 built 2006-09-29 08:32:29 UTC
(Old, I know... )



_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp

------Disclaimer------ This email and any files transmitted with are classified 
as confidential unless otherwise specified. This e-mail is intended solely for 
the use of the individual or entity to whom this e-mail is addressed. If you 
have received this email by mistake, please notify the sender and delete this 
e-mail immediately and permanently. Although measures were taken to free this 
e-mail and its attachments from any malicious code infection, it is the 
responsibility of the recipient to check this email and any attachments for the 
presence of such infection. The use of EEC(Mobily) e-mail service is limited 
for EEC(Mobily) business use only. 


_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Paid: need small M7i config snippet (policer)

Reply via email to