Junos
Junos

DDOS-Protection QFX

2 weeks ago

Hello,

 

I recently started playing with the ddos-protection on a qfx device. I noticed when i asked to show the violations it just says the protocol being violated and what the rate of the violation is which is great. However, i can't seem to find anything that says "X IRB" or "xe-0/0/1" is violating X policer.

 

Is there anyway to find this information? I enabled all on a ddos-trace log but still nothing that tells me who is abusing. Its great its dropping the packets but id love to find where the abuse is coming from on the switch.

 

Thanks!

11 REPLIES 11
Junos

Re: DDOS-Protection QFX

2 weeks ago
Hello,

Which configuration are you using? I think you should be able to see the info you are looking for on the syslog.

Could you review this link?

[edit system ddos-protection traceoptions]
user@host# set file ddos_1 _logfile_1 world-readable
ttps://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ddos-protection-traceoptions.htm...

Did you configure something similar or can you try and check? If there is any violation it seems we should be able to see it from there.
Junos

Re: DDOS-Protection QFX

2 weeks ago
After configuring this:

show log ddos_1 _logfile_1
Junos

Re: DDOS-Protection QFX

2 weeks ago

So i did that and i just get a bunch of output like this: https://pastebin.com/Wh3Qt2bd

 

It doesnt actually tell me where the abuse is coming from just that the abuse is there.

Junos

Re: DDOS-Protection QFX

2 weeks ago

Hi 

 

Please refer below links, which shows how to configure flow detection. It will help to deted the flows which are violating.

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-scfd-overview...

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/scfd-configuration-overv...

 

Regards,

Gaurao

Junos

Re: DDOS-Protection QFX

2 weeks ago
Hi,
Thanks! I have seen more info when we use flow-detection but it seems this is not suported for QFX and what we have is the traceptions for this one, is level all enable as well on the trace? From the output we have the violations but there are not more details
Junos

Re: DDOS-Protection QFX

a week ago

Yes it is but its not telling me what ip/port/irb is offending. We have flows setup on our edge router (mx480) but not on the QFXs. I think im going to setup some type of ntop and pump the flows into it and try to find it that way.

 

Thanks!

Junos

Re: DDOS-Protection QFX

a week ago

Just thought of sharing...

 

DDOS Commands: [My favorite List]
show ddos-protection protocols statistics terse <<< who is violating at this point;check the state
show ddos-protection protocols statistics brief <<< Show brief output for all Protocol
show ddos-protection protocols statistics detail <<< Show detail output for all Protocol
show ddos-protection statistics <<< Show overall statistics
show ddos-protection protocols parameters detail <<< shwo detailed configured/default ddos-protection protocols parameters
show ddos-protection protocols parameters brief
show ddos-protection protocols parameters | no-more <<< to see the default values
show ddos-protection protocols violations <<< Show summary of all protocol violations
show ddos-protection protocols ip-options flow-detection
show ddos-protection protocols flow-detection | no-more
show ddos-protection protocols flow-detection detail | no-more
clear ddos-protection protocols arp states
clear ddos-protection protocols statistics
show ddos-protection protocols arp violations
show ddos-protection protocols arp culprit-flows <<<

-Python JNCIE 3X [SP|DC|ENT] JNCIP-SEC JNCDS 3X [ WAN | DC|SEC] JNCIS-Cloud JNCIS-DevOps CCIP ITIL
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Junos

Re: DDOS-Protection QFX

a week ago

None of the useful commands work on my QFX

user@RT> show ddos-protection protocols ip-options flow-detection
error: command is not valid on the qfx5100-48s-6q

{master:0}
tuser@RT> show ddos-protection protocols flow-detection | no-more
error: command is not valid on the qfx5100-48s-6q
error: command is not valid on the qfx5100-48s-6q

{master:0}
user@RT> show ddos-protection protocols arp culprit-flows
error: command is not valid on the qfx5100-48s-6q

{master:0}
user@RT>

Junos

Re: DDOS-Protection QFX

a week ago

Sorry for that, I made the list for my MX boxes

 

-Python JNCIE 3X [SP|DC|ENT] JNCIP-SEC JNCDS 3X [ WAN | DC|SEC] JNCIS-Cloud JNCIS-DevOps CCIP ITIL
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Junos

Re: DDOS-Protection QFX

a week ago

Hello,

 

Flow-detection is not supported in QFX, you can try with the tcp dumps and let us know.

 

Thanks!

Junos

Re: DDOS-Protection QFX

a week ago

as ddos flow detection is not available in qfx. You need to think about some other way to find out the source ip/interface for such traffic. 

Try to configure a tight lo0 fitler, allowing only valid protocols. Use the last term with log/syslog/reject action. Let's see if your lo0 fitler can capture the interested traffic 


Mengzhe Hu
JNCIE x 3 (SP DC ENT)