Hello,
Trio DDOS employs a hierarchy/chain of policers. Assuming flow detection
is at default (and default==not configured), the first policer in a
chain would be the FPC aggregate one, and it is 20Kpps by default.
Your 188K offered BGP traffic is therefore rate-limited OUT OF FPC to
20Kpps.
And then RE aggregate policer kicks in, also at 20Kpps. Therefore, Your
already-rate-limited BGP traffic is rate-limited second time with
another 20Kpps policer and because of imperfect rate-limit by first FPC
policer (instead of strictly 20Kpps it passed 22100 pps) the RE agg
policer detected short-lived 1 sec violation.
As Saku mentioned, with default config the Trio DDOS is not doing much,
You'd need to enable flow detection and then tune every single protocol
policer in a chain because the default policers are either too generous
or too strict.
Hope this makes sense
Thanks
Alex
On 04/01/2019 21:45, Jason Lixfeld wrote:
On Jan 4, 2019, at 3:06 PM, Jason Lixfeld <jason-j...@lixfeld.ca> wrote:
Hi,
Before I go too far down the rabbit hole of looking into the DDoS Protection
parent feature on MX, does anyone know if it’s supported on MX204?
So it’s a shallow rabbit hole; it’s enabled by default and after poking around
with it a bit, it seems to be supported.
But, I’m seeing behaviour that doesn’t quite compute.
No RE filter configured, just the default DDoS protection. Sending about 22k
pps of bogus BGP packets.
FPC is in violation, but RE isn’t. Remaining BGP sessions are still up.
jlixfeld@r# run show ddos-protection protocols bgp statistics
Packet types: 1, Received traffic: 1, Currently violated: 1
Protocol Group: BGP
Packet type: aggregate
System-wide information:
Aggregate bandwidth is being violated!
No. of FPCs currently receiving excess traffic: 1
No. of FPCs that have received excess traffic: 1
Violation first detected at: 2019-01-04 16:13:28 EST
Violation last seen at: 2019-01-04 16:32:51 EST
Duration of violation: 00:19:23 Number of violations: 5
Received: 67923912 Arrival rate: 22925 pps
Dropped: 46234805 Max arrival rate: 190065 pps
Routing Engine information:
Aggregate policer is no longer being violated
Last violation started at: 2019-01-04 16:13:33 EST
Last violation ended at: 2019-01-04 16:13:34 EST
Duration of last violation: 00:00:01 Number of violations: 1
Received: 21663099 Arrival rate: 19952 pps
Dropped: 0 Max arrival rate: 22228 pps
Dropped by individual policers: 0
Dropped by aggregate policer: 0
FPC slot 0 information:
Aggregate policer is currently being violated!
Violation first detected at: 2019-01-04 16:13:29 EST
Violation last seen at: 2019-01-04 16:32:51 EST
Duration of violation: 00:19:22 Number of violations: 4
Received: 67923912 Arrival rate: 22925 pps
Dropped: 46234805 Max arrival rate: 190065 pps
Dropped by individual policers: 0
Dropped by aggregate policer: 46234805
Dropped by flow suppression: 0
Flow counts:
Aggregation level Current Total detected State
Subscriber 0 0 Active
[edit]
jlixfeld@r#
If I send 188k pps, RE is still not in violation, but BGP sessions die.
jlixfeld@r# run show ddos-protection protocols bgp statistics
Packet types: 1, Received traffic: 1, Currently violated: 1
Protocol Group: BGP
Packet type: aggregate
System-wide information:
Aggregate bandwidth is being violated!
No. of FPCs currently receiving excess traffic: 1
No. of FPCs that have received excess traffic: 1
Violation first detected at: 2019-01-04 16:13:28 EST
Violation last seen at: 2019-01-04 16:24:13 EST
Duration of violation: 00:10:45 Number of violations: 5
Received: 30565770 Arrival rate: 188433 pps
Dropped: 19208137 Max arrival rate: 189414 pps
Routing Engine information:
Aggregate policer is no longer being violated
Last violation started at: 2019-01-04 16:13:33 EST
Last violation ended at: 2019-01-04 16:13:34 EST
Duration of last violation: 00:00:01 Number of violations: 1
Received: 11423775 Arrival rate: 19857 pps
Dropped: 0 Max arrival rate: 22100 pps
Dropped by individual policers: 0
Dropped by aggregate policer: 0
FPC slot 0 information:
Aggregate policer is currently being violated!
Violation first detected at: 2019-01-04 16:13:28 EST
Violation last seen at: 2019-01-04 16:24:13 EST
Duration of violation: 00:10:45 Number of violations: 4
Received: 30565770 Arrival rate: 188433 pps
Dropped: 19208137 Max arrival rate: 189414 pps
Dropped by individual policers: 0
Dropped by aggregate policer: 19208137
Dropped by flow suppression: 0
Flow counts:
Aggregation level Current Total detected State
Subscriber 0 0 Active
[edit]
jlixfeld@r#
If the same policer is doing the same job whether it’s 22kpps or 188kpps, I’d
expect no difference in the affects the different rates would have on the BGP
session.
Am I missing something?
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
