Dear james , Do you face sth. Like that ?
http://gorselpaylas.com/image/5 http://gorselpaylas.com/image/7 http://gorselpaylas.com/image/A http://gorselpaylas.com/image/D On 10/04/17 10:14, "Felix Schüren" <[email protected]> wrote: >From memory, the MXes by default have a single shared policer across all >interfaces for stuff like ARP, which means that the flood you received against >non-existant but "directly reachable" IPs most likely triggered this global >policer, which caused ARP/ND timeouts on all (even non-attacked) interfaces, >which then caused BGP/IGP timeouts. You've effectively DoSed yourself with the >ARP requests I think. :) > >Kind regards, >Felix > >________________________________________ >From: juniper-nsp <[email protected]> on behalf of Mark Tees ><[email protected]> >Sent: Monday, April 10, 2017 8:49 AM >To: Cahit Eyügünlü >Cc: [email protected] >Subject: Re: [j-nsp] ddos protocol protection - IPv4-unclassified > >From memory when I last tested this the default settings were pretty >bad when under DOS conditions (IGP,BGP going down due to packets being >dropped). > >Ytti will probably pop up and comment on this but we have >flow-detection configured under global for ddos-protection which >create flows then actions when under DDOS like conditions rather than >hitting static policers. Only after we enabled flow-detection did we >start surviving those conditions. > >https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-scfd-overview.html >http://blog.ip.fi/2014/03/quick-look-at-trio-ddos-protection-with.html > > >On 10 April 2017 at 13:20, Cahit Eyügünlü <[email protected]> wrote: >> We are facing the exact Same thing with mx80 >> >> iPhone'umdan gönderildi >> >> James Jun <[email protected]> şunları yazdı (10 Nis 2017 09:14): >> >>> Hello Folks, >>> >>> We had a strange DoS attack against a customer attached to an MX104 router >>> that caused the device to >>> completely stop forwarding all legitimate traffic (routing protocols both >>> igp and bgp timed out across >>> all adjacencies and sessions). >>> >>> The attack traffic was roughly 5.9 Gbps and it was 9.5 million packets per >>> second, mostly mix of tcp >>> syn and non-init frags, etc. It was coming from a single source IP, but >>> targeting random IPv4 addresses >>> inside a directly attached customer /23, where many of the destination >>> targets were unused addresses >>> on customer's network (no arp entry). >>> >>> During the event, I saw IPv4-unclassified protocol group getting rate >>> limited by ddos-protection, where >>> aggregate policer kicked in at 858k pps: >>> >>> Received: 5659052312 Arrival rate: 1 pps >>> Dropped: 5641705949 Max arrival rate: 858556 pps >>> >>> >>> Does the tripping of IPv4-unclassified policer impact any control-plane >>> traffic on the router that may have >>> caused it to drop routing protocols? >>> >>> Aside from arp sponging out unused addresses, are there any best practices >>> for MX routers to better protect >>> the device against attacks targeting unused IPs on directly attached >>> subnets? Given that first gen Trio on >>> this box should be able to handle 55 Mpps, it seems like this is odd or >>> ddos-protection is policing >>> something that it shouldn't have. Customer port is 1GE on a 20x1G MIC card >>> behind the QX chip side, but >>> we're not doing any queueing on the box. >>> >>> >>> Thanks, >>> James >>> >>> _______________________________________________ >>> juniper-nsp mailing list [email protected] >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >> [SPDNET A.ŞLogo]<https://www.spd.net.tr/> >> >> Cahit Eyügünlü >> SPDNET A.Ş >> +908508409773 >> 75.Yıl Mahallesi 5301 Sokak No:24/A Yunusemre/MANİSA >> [WebsiteGB]<https://www.spd.net.tr/> [email] >> <mailto:[email protected]> [Twitter button] >> <hhttps://twitter.com/NetSpd> [Facebook button] >> <https://www.facebook.com/SpdNetTR/> >> >> >> Bu e-posta kişiye özel olup, gizli bilgiler içeriyor olabilir. Eğer bu >> e-posta size yanlışlıkla ulaşmışsa, içeriğini hiç bir şekilde kullanmayınız >> ve ekli dosyaları açmayınız. Bu e-posta virüslere karşı anti-virüs >> sistemleri tarafından taranmıştır. Ancak SPDNET, bu e-postanın - virüs >> koruma sistemleri ile kontrol ediliyor olsa bile - virüs içermediğini >> garanti etmez ve meydana gelebilecek zararlardan doğacak hiçbir sorumluluğu >> kabul etmez. >> _______________________________________________ >> juniper-nsp mailing list [email protected] >> https://puck.nether.net/mailman/listinfo/juniper-nsp > > > >-- >Regards, > >Mark L. Tees >_______________________________________________ >juniper-nsp mailing list [email protected] >https://puck.nether.net/mailman/listinfo/juniper-nsp [SPDNET A.ŞLogo]<https://www.spd.net.tr/> Cahit Eyügünlü SPDNET A.Ş +908508409773 75.Yıl Mahallesi 5301 Sokak No:24/A Yunusemre/MANİSA [WebsiteGB]<https://www.spd.net.tr/> [email] <mailto:[email protected]> [Twitter button] <hhttps://twitter.com/NetSpd> [Facebook button] <https://www.facebook.com/SpdNetTR/> Bu e-posta kişiye özel olup, gizli bilgiler içeriyor olabilir. Eğer bu e-posta size yanlışlıkla ulaşmışsa, içeriğini hiç bir şekilde kullanmayınız ve ekli dosyaları açmayınız. Bu e-posta virüslere karşı anti-virüs sistemleri tarafından taranmıştır. Ancak SPDNET, bu e-postanın - virüs koruma sistemleri ile kontrol ediliyor olsa bile - virüs içermediğini garanti etmez ve meydana gelebilecek zararlardan doğacak hiçbir sorumluluğu kabul etmez. _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
