Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. nsp>
  3. juniper
ERX High SRP Processor utilization--lots of ICMP--
jdiez at bestel
Jun 13, 2003, 12:23 PM
Post #1 of 4 (1990 views)
Permalink
Hello
We have an ERX wit two STM-4 linemodules and 1 4STM1 linemodule. We are
running BGP full routing and OSPF as iBGP.
We haver the SRP processor of the ERX about 60 %.
We can see a lot of ICMP but when we do the icmptraffic debug then we can
see that the addresses that answer the ICMP requests are the Broadcast
address of the point to point links with other routers.

Do anyone know how can i disable this echos?

Tha process that uses the highest percentage of processor is "background".
Do anyone know what this background process runs (the only thing i could
find is that synchronization of SRPs is included...but What else!????).

Any comments are welcome.

Regards

Jeronimo Diez
ERX High SRP Processor utilization--lots of ICMP-- [ In reply to ]
rmo at sunnmore
Jun 16, 2003, 2:11 PM
Post #2 of 4 (1946 views)
Permalink
Jeronimo Diez de Sollano Velazco Aceves:
> Hello
> We have an ERX wit two STM-4 linemodules and 1 4STM1 linemodule. We are
> running BGP full routing and OSPF as iBGP.
> We haver the SRP processor of the ERX about 60 %.
> We can see a lot of ICMP but when we do the icmptraffic debug then we can
> see that the addresses that answer the ICMP requests are the Broadcast
> address of the point to point links with other routers.

Watch your traffic for (D)DoS SYN-attacks, just had a attack here
driving the CPU up to loads of 70-80% sustained.

--
Roy-Magne Mo
ERX High SRP Processor utilization--lots of ICMP-- [ In reply to ]
truman at research
Jun 18, 2003, 9:00 PM
Post #3 of 4 (1936 views)
Permalink
On Monday, June 16, 2003, at 02:10 PM, Roy-Magne Mo wrote:

> Jeronimo Diez de Sollano Velazco Aceves:
>> Hello
>> We have an ERX wit two STM-4 linemodules and 1 4STM1 linemodule. We
>> are
>> running BGP full routing and OSPF as iBGP.
>> We haver the SRP processor of the ERX about 60 %.
>> We can see a lot of ICMP but when we do the icmptraffic debug then we
>> can
>> see that the addresses that answer the ICMP requests are the Broadcast
>> address of the point to point links with other routers.
>
> Watch your traffic for (D)DoS SYN-attacks, just had a attack here
> driving the CPU up to loads of 70-80% sustained.
>
> --
> Roy-Magne Mo
>
You are probably seeing a "smurf" attack or other attack that relies on
broadcast traffic. You should have 'no ip directed-broadcast' on the
ERX. It may already exist in the default configuration, so do a 'show
config include-defaults | inc directed' to verify. Also I would have ip
local policies applied on each interface to restrict traffic with a
destination of the SRP ip interfaces.

Truman
ERX High SRP Processor utilization--lots of ICMP-- [ In reply to ]
rmo at sunnmore
Jun 19, 2003, 1:53 PM
Post #4 of 4 (1917 views)
Permalink
Truman Boyes:
> You are probably seeing a "smurf" attack or other attack that relies on
> broadcast traffic. You should have 'no ip directed-broadcast' on the
> ERX. It may already exist in the default configuration, so do a 'show
> config include-defaults | inc directed' to verify. Also I would have ip
> local policies applied on each interface to restrict traffic with a
> destination of the SRP ip interfaces.

No, the traffic was directed for a customer behind the router, no
traffic was directed at either broadcast adresses or the routers local
addresses. The router is running as a route reflector with full
bgp-table, so it should also have a good grasp of the world.

The only process that seemed suspiciously high, was ip1 - but not
alarming.

What exactly caused isn't clear to me right now, but the attack is still
going on with about 6k packets/second being dropped at our edges - so I
could always provoke it once more if wanted to.

--
Roy-Magne Mo

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal