Hello Folks,
We had a strange DoS attack against a customer attached to an MX104 router that
caused the device to
completely stop forwarding all legitimate traffic (routing protocols both igp
and bgp timed out across
all adjacencies and sessions).
The attack traffic was roughly 5.9 Gbps and it was 9.5 million packets per
second, mostly mix of tcp
syn and non-init frags, etc. It was coming from a single source IP, but
targeting random IPv4 addresses
inside a directly attached customer /23, where many of the destination targets
were unused addresses
on customer's network (no arp entry).
During the event, I saw IPv4-unclassified protocol group getting rate limited
by ddos-protection, where
aggregate policer kicked in at 858k pps:
Received: 5659052312 Arrival rate: 1 pps
Dropped: 5641705949 Max arrival rate: 858556 pps
Does the tripping of IPv4-unclassified policer impact any control-plane traffic
on the router that may have
caused it to drop routing protocols?
Aside from arp sponging out unused addresses, are there any best practices for
MX routers to better protect
the device against attacks targeting unused IPs on directly attached subnets?
Given that first gen Trio on
this box should be able to handle 55 Mpps, it seems like this is odd or
ddos-protection is policing
something that it shouldn't have. Customer port is 1GE on a 20x1G MIC card
behind the QX chip side, but
we're not doing any queueing on the box.
Thanks,
James
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
