Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[QFX] DDoS protection for TTL may not work as expected in some scenarios

0

0

Article ID: KB34615 KB Last Updated: 24 Jul 2019Version: 1.0
Summary:

This article explains that DDoS protection for TTL may not work as expected in some scenarios and suggests a few workarounds for the scenarios described here.

 

Symptoms:

Scenario 1: TTL DDoS protection configured along with l3mtu-fail

  • Sample configuration

set system ddos-protection protocols ttl aggregate bandwidth 200
set system ddos-protection protocols ttl aggregate burst 500
set system ddos-protection protocols l3mtu-fail aggregate bandwidth 100
set system ddos-protection protocols l3mtu-fail aggregate burst 400
  • Because the ASIC queue 12 is shared among three protocols (TTL, L3MTU, & IP-OPT) and the L3MTU-FAIL protocol’s protocol ID is highest among the three protocols, the value that is associated with L3MTU-FAIL will be used.

TFXPC0(vty)# show halp-pkt asic-queues
------ --------- -------- -------- ------------------------------
 CMICQ  Channel   bwidth    burst     Qlen           Proto(s)
------ ---------- -------- -------- --------- ------------------------------
  12        3      100      400      400        l3mtu-fail,ttl,ip-opt

Scenario 2: TTL exceed packet rate does not exceed configured queue rate but packet still gets dropped.

  • Rate limit is per CPU queue wise and not per protocol wise. If three protocols share the same CPU queue, then all three protocols will share the same bandwidth and burst rate. In this case, if the individual packet rate or the combined packet rate of these protocols exceeds the configured rate, packets get dropped. 

 

Scenario 3: With L3MTU-fail and TTL DDoS-protection configured, if the L3MTU-fail configuration is removed, the ASIC queue returns to its default rate.

  1. Step1
set system ddos-protection protocols ttl aggregate bandwidth 200
set system ddos-protection protocols ttl aggregate burst 500
set system ddos-protection protocols l3mtu-fail aggregate bandwidth 100
set system ddos-protection protocols l3mtu-fail aggregate burst 400‚Äč
commit
  1. Step2

delete system ddos-protection protocols l3mtu-fail 
commit

TFXPC0(vty)# show halp-pkt asic-queues
------ --------- -------- -------- ------------------------------
 CMICQ  Channel   bwidth    burst     Qlen           Proto(s)
------ ---------- -------- -------- --------- ------------------------------
    12        3       50       10      200        l3mtu-fail,ttl,ip-opt   >>>> queue 12 is using default configuration. 

 

Solution:

This behavior is as per design because the device has limited ASIC queue capabilities. For more information, refer to KB31827 - [EX/QFX] DDOS may set a protocol to the violation state even when the input rate of the protocol is lower than the policer bandwidth.

Meanwhile some workarounds for each scenario are as follows:

  • Scenario 1/2: If you want to configure DDoS protection only for TTL or L3MTU, you can configure protection only for these individual protocols.

    • If you want to configure protection for both TTL and L3MTU, configure a reasonable value on L3MTU. 

  • Scenario 3:

    • Execute deactivate system ddos-protection/commit.

    • Then, execute activate system ddos-protection/commit.

This will program TTL DDoS protection configuration. 

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search