All Topics » Pulse Policy Secure



DDoS ARP


tec1@rambler.ru
Contributor (11)
Mar 14, 2014 5:43am

Twice we saw arp DDoS from Layer 2 networks Operator to our different routers. It was above 1,5 million arp packets per second which dropped default arp policer.

 

xxxx@PE-1> show policer __default_arp_policer__   

Policers:

Name                                                Bytes              Packets

__default_arp_policer__                       61113045326           1328544093

 

{master}djkj

xxxx@PE-1> show policer __default_arp_policer__   

Policers:

Name                                                Bytes              Packets

__default_arp_policer__                       61176856048           1329931282

 

{master}

 

 

 

But besides dangerous arp packets was dropped legitimate arp packets. In first  accident we had lost management of two Cisco switch and in second accident we had lost many services our clients. In second accident traffic on the subinterface grew up  before 373 Mb/s but policer to rate limit traffic on this subinterface didn't dropped exceeding traffic.

Why?

 

xxxx@PE-1> show policer lim1m-xe-0/1/0.974-inet-i  

Policers:

Name                                                Bytes              Packets

lim1m-xe-0/1/0.974-inet-i                               0                    0

 

{master}

xxxx@PE-1> show policer lim1m-xe-0/1/0.974-inet-o   

Policers:

Name                                                Bytes              Packets

lim1m-xe-0/1/0.974-inet-o                        57932665                40992

 

{master}

 

 

 

The correct solution the problem was use policer Rate Limiting ARP packets on the subinterface.

 

firewall {

 policer ARP-Policer {

 if-exceeding {

 bandwidth-limit 8k;

 burst-size-limit 1500;

 }

 then discard;

 }

}

 

interfaces {

 xe-0/1/0 {

 unit 974 {

 family inet {

 policer {

 arp ARP-Policer;

 }

 }

 }

 }

}

 

 

Best regards,

Alexey




kalagesan
Contributor (11)
Mar 14, 2014 6:05am

Hi Alexey,

 

I hope your query is on routers, please post the query in below forum. This forum is only for SBR/UAC/OAC/pulse

 

 

http://forums.juniper.net/t5/Routing/bd-p/IProuting

 

Regards,

kannan

 

 

    tec1@rambler.ru
    Contributor (11)
    Mar 14, 2014 10:09am

    Hello Kannan,

    Very thanks. How I can delete my post here?

     

    Best regards, 

    Alexey