On 10 April 2017 at 09:49, Mark Tees <[email protected]> wrote: Hey,
> Ytti will probably pop up and comment on this but we have As summoned. > flow-detection configured under global for ddos-protection which > create flows then actions when under DDOS like conditions rather than > hitting static policers. Only after we enabled flow-detection did we > start surviving those conditions. > https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-scfd-overview.html > http://blog.ip.fi/2014/03/quick-look-at-trio-ddos-protection-with.html Yeah essentially the path is wire => port filter => lo0 filter => ddos protection => npu2lc_cpu magic policer => lc_cpu => re_cpu You can't change the NPU 2 LC_CPU magic policer, so you really don't want to congest it, it seems to be quite low pps limitter. I would not dimension anything over 10kpps in ddos-protection. When it comes to ddos-protection, it's bit annoying you cannot configure default values for all protocols. This means you manually need to configure each and every protocol there is, which means very long ddos-protection config. My recommendation is a) enable flow detection b) disable sub-level detection, unless you know you can use it (we only have 5k HW policers, UDP/TCP attacker using 5k SPORT can congest all of them) c) classify all protocols to one of three groups a) critical (if down, there is outage) b) used (we use this, but if it's congested, it's not actual outage) c) unused (we don't use this protocol at all). Maybe have aggregate level of 10kpps for critical, 1k pps for used and 10pps for unused d) have much smaller IFL level pps The rationale is, it is ok to get your aggregate level violated. Like say you have two BGP customers, one of them has L2 loop and gives you 1.48Mpps of BGP packets, your aggregate 10kpps BGP policer will get congested, system will figure out offending IFL and program more specific IFL policer for the offending interface, keeping rest of the BGP in the aggregate policer. Time to figure out congested policer and program more specific policer is non-zero, so you might want to set some protocols with bounded count to be statically detected to IFL level. Like BGP you may want to preprogram IFL level policers always, provided you won't have more than 1-2k BGP sessions. Of course having well configured ddos-protection does not mean you don't need good lo0 filter, they just serve different role. Lo0 is to discriminate good and bad, ddos-protection is to protect one good from another (misbehaving) good. In my experience Juniper is only vendor on the market which delivers tools to protect the system from attackers, it's just quite complicated to configure. IOS-XR cannot be configured correctly, but out-of-the-box it's vastly better protected than JunOS (on platforms where IOS-XR has LPTS, which is not all IOS-XR platforms...). I assume most Juniper networks can be broken by single DSL user. -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
