Hi,
We are using SRX240H2 as our GW. Today just for testing purposes I've set the udp flood threshold for 3000 pps. For our network usage is is OK to have even 25 kpps of UDP traffic, but that not a point. The result was so crazy, I could not even imagine (because any Linux box for the same price will just act better in this situation).
After the limit was set, one of our clients started to transmit their data over UDP. The logs were full of information about certain IP is flooding us and action for it is was drop. And these logs now just flood the cpu, as SRX has to write logs and rotate files hell fast. And the system cpu usage was insane 99%. Like come on? I set some udp flood limits to get rid of udp flood attack and as a result having unresponsive GW? Could it just drop the connection from that IP and log it once?
last pid: 68187; load averages: 2.21, 1.92, 1.31 up 43+07:54:40 00:04:04
139 processes: 20 running, 107 sleeping, 1 zombie, 11 waiting
Mem: 209M Active, 132M Inact, 1040M Wired, 206M Cache, 112M Buf, 385M Free
Swap:
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
1474 root 7 139 0 997M 59168K CPU3 3 3273.8 293.85% flowd_octeon_hm
1125 root 1 134 0 13056K 4692K RUN 0 123:47 38.33% eventd
1481 root 1 116 0 13960K 6464K RUN 0 52:24 25.54% rtlogd
Why it has still to check every single packet from that source?
ct 1 00:00:12 ee-tll-tt-gw1 RT_IDS: RT_SCREEN_UDP: UDP flood! source: xxx.xxx.217.38:49232, destination: xxx.xxx.240.34:49221, zone name: internet, interface name: ge-0/0/12.0, action: drop
Oct 1 00:00:12 ee-tll-tt-gw1 RT_IDS: RT_SCREEN_UDP: UDP flood! source: xxx.xxx.217.38:49229, destination: xxx.xxx.240.34:49221, zone name: internet, interface name: ge-0/0/12.0, action: drop
Oct 1 00:00:12 ee-tll-tt-gw1 RT_IDS: RT_SCREEN_UDP: UDP flood! source: xxx.xxx.217.38:49232, destination: xxx.xxx.240.34:49221, zone name: internet, interface name: ge-0/0/12.0, action: drop
Oct 1 00:00:12 ee-tll-tt-gw1 RT_IDS: RT_SCREEN_UDP: UDP flood! source: xxx.xxx.217.38:49232, destination: xxx.xxx.240.34:49221, zone name: internet, interface name: ge-0/0/12.0, action: drop
Oct 1 00:00:12 ee-tll-tt-gw1 RT_IDS: RT_SCREEN_UDP: UDP flood! source: xxx.xxx.217.38:49224, destination: xxx.xxx.240.34:49221, zone name: internet, interface name: ge-0/0/12.0, action: drop
Oct 1 00:00:12 ee-tll-tt-gw1 RT_IDS: RT_SCREEN_UDP: UDP flood! source: xxx.xxx.217.38:49224, destination: xxx.xxx.240.34:49221, zone name: internet, interface name: ge-0/0/12.0, ac
What if I'll set high enough udp flood threshold so the SRX won't react on our clients, but I'll get even higher udp flood attack from somewhere? I'll be just down? Seems like SRX240H2 is pretty pointless on mitigating DDoS and DoS-es, as they start to DoS own cpu right the way.
JunOS is 12.1X46-D40.2