[prev in list] [next in list] [prev in thread] [next in thread]
List: juniper-nsp
Subject: Re: [j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET
From: Luis Balbinot <luis () luisbalbinot ! com>
Date: 2017-11-21 12:56:01
Message-ID: CAFsaiiOvyC6H=4d5VMt+_8nsJsd1V0=HgYjmD+Dk+3Rmi_OqwA () mail ! gmail ! com
[Download RAW message or body]
Sorry, I meant the opposite (i.e. the defaults are too high).
One that is specially high is the IGMP at 20k. Multicast loops on
large layer-2 fabrics (IXPs) will bring down first-gen Trios very
easily (can't say the same for the newer ones up to Eagle).
On Tue, Nov 21, 2017 at 10:19 AM, Saku Ytti <saku@ytti.fi> wrote:
> On 21 November 2017 at 14:12, Luis Balbinot <luis@luisbalbinot.com> wrote:
>
>> The DDoS protection factory defaults are very low in some cases. The
>> Juniper MX Series book has a nice chapter on that.
>
> Do you have an example? Most of them are like 20kpps, which ismore
> than you need to congest the built-in NPU=>PFE_CPU policer. I.e. they
> are massively too large out-of-the-box.
>
> I doubt anyone has configured them to sensible values, as it would be
> hundreds of lines of ddos-protection config, as you cannot set default
> values which apply to all of them and then more-specific ones to the
> ones you care. Correct configuration needs to manually configure each
> and every one, those which you don't need, as low as you want, like
> 10pps.
>
>
> --
> ++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic