This is exactly what happened. The session table filled up. One of our security guys took down our edge 650 cluster from a single unix box out on the net.
Sent from my iPhone On Jun 22, 2012, at 4:39 AM, "Scott T. Cameron" <[email protected]> wrote: > On Wed, Jun 20, 2012 at 10:14 PM, Morgan McLean <[email protected]> wrote: > >> I have a /24 I want to announce, but I don't actually have it anywhere on >> the network. I NAT some of its IP's on the SRX that has the BGP session >> with our providers. >> >> I've been using static routes with the discard flag, but I don't really >> like the way the SRX handles traffic. It still creates sessions for traffic >> destined to IP's not used anywhere (hitting the static route) and can be >> easily dos'd because of this. >> >> Is there a better way to just tell our providers hey, we have this range? >> >> > It sounds like you're using the SRX as an edge router with a BGP session > upstream? > > I don't have this architecture here, but I had the same problem. I had my > edge router announce the /24 to the BGP upstreams, and my SRX announce the > /24 via OSPF to the MX. > > Unfortunately, one of my IPs was hammered, and filled up the session table > with invalid sessions. That's the real issue, at least in my case, was > that even invalid sessions were taking a session, and prohibiting > legitimate traffic from flowing. > > The solution was only to announce from SRX to MX (edge router) the /32s > that were actually in use. > > I suppose that a firewall filter may help on your ingress ports to only > permit the traffic to the /32s that are actually in use, but I can't say > from experience if this will happen before a session is created, even in > invalid state. > > Scott > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
