SRX

last person joined: 3 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  High system CPU usage when using screen to limit udp flood

    Posted 09-30-2016 15:04
      |   view attached

    Hi,

     

    We are using SRX240H2 as our GW. Today just for testing purposes I've set the udp flood threshold for 3000 pps. For our network usage is is OK to have even 25 kpps of UDP traffic, but that not a point. The result was so crazy, I could not even imagine (because any Linux box for the same price will just act better in this situation). 

     

    After the limit was set, one of our clients started to transmit their data over UDP. The logs were full of information about certain IP is flooding us and action for it is was drop. And these logs now just flood the cpu, as SRX has to write logs and rotate files hell fast. And the system cpu usage was insane 99%. Like come on? I set some udp flood limits to get rid of udp flood attack and as a result having unresponsive GW? Could it just drop the connection from that IP and log it once?

     

     

    last pid: 68187;  load averages:  2.21,  1.92,  1.31  up 43+07:54:40    00:04:04
139 processes: 20 running, 107 sleeping, 1 zombie, 11 waiting

Mem: 209M Active, 132M Inact, 1040M Wired, 206M Cache, 112M Buf, 385M Free
Swap:


  PID USERNAME  THR PRI NICE   SIZE    RES STATE  C   TIME   WCPU COMMAND
 1474 root        7 139    0   997M 59168K CPU3   3 3273.8 293.85% flowd_octeon_hm
 1125 root        1 134    0 13056K  4692K RUN    0 123:47 38.33% eventd
 1481 root        1 116    0 13960K  6464K RUN    0  52:24 25.54% rtlogd

    Why it has still to check every single packet from that source?

     

    ct  1 00:00:12  ee-tll-tt-gw1 RT_IDS: RT_SCREEN_UDP: UDP flood! source: xxx.xxx.217.38:49232, destination: xxx.xxx.240.34:49221, zone name: internet, interface name: ge-0/0/12.0, action: drop
Oct  1 00:00:12  ee-tll-tt-gw1 RT_IDS: RT_SCREEN_UDP: UDP flood! source: xxx.xxx.217.38:49229, destination: xxx.xxx.240.34:49221, zone name: internet, interface name: ge-0/0/12.0, action: drop
Oct  1 00:00:12  ee-tll-tt-gw1 RT_IDS: RT_SCREEN_UDP: UDP flood! source: xxx.xxx.217.38:49232, destination: xxx.xxx.240.34:49221, zone name: internet, interface name: ge-0/0/12.0, action: drop
Oct  1 00:00:12  ee-tll-tt-gw1 RT_IDS: RT_SCREEN_UDP: UDP flood! source: xxx.xxx.217.38:49232, destination: xxx.xxx.240.34:49221, zone name: internet, interface name: ge-0/0/12.0, action: drop
Oct  1 00:00:12  ee-tll-tt-gw1 RT_IDS: RT_SCREEN_UDP: UDP flood! source: xxx.xxx.217.38:49224, destination: xxx.xxx.240.34:49221, zone name: internet, interface name: ge-0/0/12.0, action: drop
Oct  1 00:00:12  ee-tll-tt-gw1 RT_IDS: RT_SCREEN_UDP: UDP flood! source: xxx.xxx.217.38:49224, destination: xxx.xxx.240.34:49221, zone name: internet, interface name: ge-0/0/12.0, ac

    What if I'll set high enough udp flood threshold so the SRX won't react on our clients, but I'll get even higher udp flood attack from somewhere? I'll be just down? Seems like SRX240H2 is pretty pointless on mitigating DDoS and DoS-es, as they start to DoS own cpu right the way.

     

    JunOS is 12.1X46-D40.2

     



  • 2.  RE: High system CPU usage when using screen to limit udp flood
    Best Answer

    Posted 09-30-2016 19:24

    Hi,

     

    The RT logs which the SRX had to write to a local file are actually traffic logs.

     

    By default, the SRX 240 is in even mode for traffic logs, which means that all the traffic logs ( and system logs) are handled by the Routing-Engine thus causing high RE CPU on the SRX.

     

    If you change the mode of security logs to stream, these would be handled by the PFE (Dataplane) and directly sent to the syslog server without REs intervention. This would save the RE CPU from going high.

     

    More details in the following link :-

    https://www.juniper.net/documentation/en_US/junos12.3x48/topics/task/configuration/security-system-stream-security-log-revenue-port-setting.html

     

    Even after changing the security log mode to stream , the system logs would still be handled by the RE.

     

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.



  • 3.  RE: High system CPU usage when using screen to limit udp flood

    Posted 10-03-2016 04:42

    Hi,

     

    Thanks for the hint. Configured the stream mode and remote server. Runs fine with the same test.

     

    FPC 0 PIC 0 CPU utilization : 6 %

     

    node0:
--------------------------------------------------------------------------
last pid: 71986;  load averages:  0.35,  0.22,  0.16  up 45+22:31:32    14:40:56
139 processes: 18 running, 109 sleeping, 1 zombie, 11 waiting

    grep "UDP flood" /var/log/srx.log -c
11778

    Thanks for the hint.

     

    But still wondering, why it logs every single packet instead of block and forget.