Hello community, I've strange behavior of my MX80 (junos version 11.4R8.4) under ddos attacks. Router drops all bgp sessions (hold timer expiry) with a 3-5gbps ddos. Can someone explain me what a hardware input drops is:
snoop@mx80> show pfe statistics traffic Packet Forwarding Engine traffic statistics: Input packets: 39678419501507 1706807 pps Output packets: 39420428185109 1740106 pps Packet Forwarding Engine local traffic statistics: Local packets input : 3054025645 Local packets output : 2570628629 Software input control plane drops : 0 Software input high drops : 0 Software input medium drops : 0 Software input low drops : 0 Software output drops : 0 Hardware input drops : 1694162000 I've firewall input filter on lo0.0 and jddos enabled and I've noticed that protocol reject is violated while ddos is active: Jan 31 09:40:19 mx80 jddosd[1386]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 0 for 1086 times, started at 2014-01-31 09:40:18 EET, last seen at 2014-01-31 09:40:18 EET snoop@mx80> show ddos-protection protocols reject Protocol Group: Reject Packet type: aggregate (Aggregate for all reject traffic) Aggregate policer configuration: Bandwidth: 20000 pps Burst: 80000 packets Recover time: 300 seconds Enabled: Yes System-wide information: Aggregate bandwidth is no longer being violated No. of FPCs that have received excess traffic: 1 Last violation started at: 2014-01-31 09:40:18 EET Last violation ended at: 2014-01-31 09:50:38 EET Duration of last violation: 00:10:20 Number of violations: 1086 Received: 25457232543 Arrival rate: 966 pps Dropped: 2962974870 Max arrival rate: 262754 pps Routing Engine information: Bandwidth: 20000 pps, Burst: 80000 packets, enabled Aggregate policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by individual policers: 0 FPC slot 0 information: Bandwidth: 100% (20000 pps), Burst: 100% (80000 packets), enabled Aggregate policer is no longer being violated Last violation started at: 2014-01-31 09:40:18 EET Last violation ended at: 2014-01-31 09:50:38 EET Duration of last violation: 00:10:20 Number of violations: 1086 Received: 25457232543 Arrival rate: 966 pps Dropped: 2962974870 Max arrival rate: 262754 pps Dropped by individual policers: 0 Dropped by aggregate policer: 2962974870 But I don't have any reject action in firewall rules. Please point me to right direction. Kind regards, Alexander. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp