> James Jun > Sent: Monday, April 10, 2017 7:17 AM > > Hello Folks, > > We had a strange DoS attack against a customer attached to an MX104 router > that caused the device to completely stop forwarding all legitimate traffic > (routing protocols both igp and bgp timed out across all adjacencies and > sessions). > > The attack traffic was roughly 5.9 Gbps and it was 9.5 million packets per > second, mostly mix of tcp syn and non-init frags, etc. It was coming from a > single source IP, but targeting random IPv4 addresses inside a directly > attached customer /23, where many of the destination targets were unused > addresses on customer's network (no arp entry). > > During the event, I saw IPv4-unclassified protocol group getting rate limited > by ddos-protection, where aggregate policer kicked in at 858k pps: > > Received: 5659052312 Arrival rate: 1 pps > Dropped: 5641705949 Max arrival rate: 858556 pps > > > Does the tripping of IPv4-unclassified policer impact any control-plane traffic > on the router that may have caused it to drop routing protocols? > > Aside from arp sponging out unused addresses, are there any best practices > for MX routers to better protect the device against attacks targeting unused > IPs on directly attached subnets? Given that first gen Trio on this box should > be able to handle 55 Mpps, it seems like this is odd or ddos-protection is > policing something that it shouldn't have. Customer port is 1GE on a 20x1G > MIC card behind the QX chip side, but we're not doing any queueing on the > box.
That's a correct configuration, 20Gbps in and 20Gbps out is maximum throughput on a 1st gen Trio if QX chip is not explicitly disabled. Default pps rates on DDoS protection are too high you need to tune them in order to gain actual protection. adam netconsultings.com ::carrier-class solutions for the telecommunications industry:: _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp