Hello Folks, We had a strange DoS attack against a customer attached to an MX104 router that caused the device to completely stop forwarding all legitimate traffic (routing protocols both igp and bgp timed out across all adjacencies and sessions).
The attack traffic was roughly 5.9 Gbps and it was 9.5 million packets per second, mostly mix of tcp syn and non-init frags, etc. It was coming from a single source IP, but targeting random IPv4 addresses inside a directly attached customer /23, where many of the destination targets were unused addresses on customer's network (no arp entry). During the event, I saw IPv4-unclassified protocol group getting rate limited by ddos-protection, where aggregate policer kicked in at 858k pps: Received: 5659052312 Arrival rate: 1 pps Dropped: 5641705949 Max arrival rate: 858556 pps Does the tripping of IPv4-unclassified policer impact any control-plane traffic on the router that may have caused it to drop routing protocols? Aside from arp sponging out unused addresses, are there any best practices for MX routers to better protect the device against attacks targeting unused IPs on directly attached subnets? Given that first gen Trio on this box should be able to handle 55 Mpps, it seems like this is odd or ddos-protection is policing something that it shouldn't have. Customer port is 1GE on a 20x1G MIC card behind the QX chip side, but we're not doing any queueing on the box. Thanks, James _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp