Jump to content
Калькуляторы

junos, sampling и firewall filter UPD: возникла проблема с jddosd[1548]: DDOS_PROTOCOL_VIOLATION_SET:

Коллеги, доброго времени суток!

Есть интерфейс, хочу сделать с входящими пакетами так:

- sampling

- accept на то, что нужно

- discard на то, что не нужно

- accept на транзитный трафик

 

Делаю следующее:

set firewall filter sampling term sample then sample

set firewall filter accept-icmp term discard-icmp-fragments from destination-prefix-list LOCALS-v4
set firewall filter accept-icmp term discard-icmp-fragments from is-fragment
set firewall filter accept-icmp term discard-icmp-fragments from protocol icmp
set firewall filter accept-icmp term discard-icmp-fragments then count discard-icmp-fragments
set firewall filter accept-icmp term discard-icmp-fragments then discard
set firewall filter accept-icmp term accept-icmp from destination-prefix-list LOCALS-v4
set firewall filter accept-icmp term accept-icmp from icmp-type echo-reply
set firewall filter accept-icmp term accept-icmp from icmp-type echo-request
set firewall filter accept-icmp term accept-icmp from icmp-type time-exceeded
set firewall filter accept-icmp term accept-icmp from icmp-type unreachable
set firewall filter accept-icmp term accept-icmp from icmp-type source-quench
set firewall filter accept-icmp term accept-icmp from icmp-type router-advertisement
set firewall filter accept-icmp term accept-icmp from icmp-type parameter-problem
set firewall filter accept-icmp term accept-icmp then policer management-1m
set firewall filter accept-icmp term accept-icmp then count accept-icmp
set firewall filter accept-icmp term accept-icmp then accept

set firewall filter discard-all-to-locals-v4 term discard-ip-options from destination-prefix-list LOCALS-v4
set firewall filter discard-all-to-locals-v4 term discard-ip-options from ip-options any
set firewall filter discard-all-to-locals-v4 term discard-ip-options then count discard-ip-options
set firewall filter discard-all-to-locals-v4 term discard-ip-options then log
set firewall filter discard-all-to-locals-v4 term discard-ip-options then discard
set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown from destination-prefix-list LOCALS-v4
set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown from ttl 1
set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown then count discard-TTL_1-unknown
set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown then log
set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown then discard
set firewall filter discard-all-to-locals-v4 term discard-tcp from destination-prefix-list LOCALS-v4
set firewall filter discard-all-to-locals-v4 term discard-tcp from protocol tcp
set firewall filter discard-all-to-locals-v4 term discard-tcp then count discard-tcp
set firewall filter discard-all-to-locals-v4 term discard-tcp then log
set firewall filter discard-all-to-locals-v4 term discard-tcp then discard
set firewall filter discard-all-to-locals-v4 term discard-udp from destination-prefix-list LOCALS-v4
set firewall filter discard-all-to-locals-v4 term discard-udp from protocol udp
set firewall filter discard-all-to-locals-v4 term discard-udp then count discard-udp
set firewall filter discard-all-to-locals-v4 term discard-udp then log
set firewall filter discard-all-to-locals-v4 term discard-udp then discard
set firewall filter discard-all-to-locals-v4 term discard-icmp from destination-prefix-list LOCALS-v4
set firewall filter discard-all-to-locals-v4 term discard-icmp from protocol icmp
set firewall filter discard-all-to-locals-v4 term discard-icmp then count discard-icmp
set firewall filter discard-all-to-locals-v4 term discard-icmp then log
set firewall filter discard-all-to-locals-v4 term discard-icmp then discard
set firewall filter discard-all-to-locals-v4 term discard-unknown from destination-prefix-list LOCALS-v4
set firewall filter discard-all-to-locals-v4 term discard-unknown then count discard-unknown
set firewall filter discard-all-to-locals-v4 term discard-unknown then log
set firewall filter discard-all-to-locals-v4 term discard-unknown then discard
set firewall filter discard-all-to-locals-v4 term accept-all-other then accept

 

Вешаю на интерфейс set family inet filter input-list [sampling accept-icmp discard-all-to-locals-v4] и в итоге получаю, что пакеты после фильтра sampling не обрабатываются остальными в листе. Если sampling убрать, что все отлично.

Что я делаю не так? Или sampling лучше включить на интерфейсе через set interfaces X unit Y family inet sampling input, а через filter input-list выполнять только фильтрацию?

 

И btw, вопрос: я верно понял, что любой фильтр имеет последний неявный term с discard, т.е. то, что не accept, то будет в любом случае отброшено, но если используется filter input-list, по пакет следует по правилам слева направо и только в последнем фильтре отработает неявный discard ?

 

+ еще вопрос: на данный момент IP адрес на интерфейс lo0 не назначен:

Physical interface: lo0, Enabled, Physical link is Up
 Interface index: 6, SNMP ifIndex: 6
 Type: Loopback, MTU: Unlimited
 Device flags   : Present Running Loopback
 Interface flags: SNMP-Traps
 Link flags     : None
 Last flapped   : Never
   Input packets : 4706
   Output packets: 4706

 Logical interface lo0.16384 (Index 320) (SNMP ifIndex 21)
   Flags: SNMP-Traps Encapsulation: Unspecified
   Input packets : 774
   Output packets: 774
   Protocol inet, MTU: Unlimited
     Addresses
       Local: 127.0.0.1

 Logical interface lo0.16385 (Index 321) (SNMP ifIndex 22)
   Flags: SNMP-Traps Encapsulation: Unspecified
   Input packets : 3926
   Output packets: 3926
   Protocol inet, MTU: Unlimited

 

Как Local ID в show bgp neighbor x.x.x.x виден IP адрес интерфейса fxp0.0, как в таком случае фильтровать трафик до RE? На fxp0.0?

Edited by mse.rus77

Share this post


Link to post
Share on other sites

По первому вопросу разобрался:

There is no difference in both the configurations that you have shown below. The usage of the two configurations differ:

 

1. For example, if you want to sample every family inet packet on the interface, you can just use "family inet sampling input/output" on the interface. It will mark every packet for sampling irrespective of the flow.

 

2. If you want to sample only specific type of IP traffic, for example, you want to sample traffic coming from specific source IP or from specific destination IP you can create a customized firewall filter and match that specific traffic type for sampling.

Share this post


Link to post
Share on other sites

set firewall filter sampling term sample then sample

У вас тут не явный discard поэтому все будет дррпаться. Делайте сампл в таермах где accept или discard или как уже посоветовали, вешайте на весь интерфес.

 

Sample не является терминирующим действием

Share this post


Link to post
Share on other sites

set firewall filter sampling term sample then sample

У вас тут не явный discard поэтому все будет дррпаться. Делайте сампл в таермах где accept или discard или как уже посоветовали, вешайте на весь интерфес.

 

Sample не является терминирующим действием

Уже повесил на интерфейс сэмплинг. А вот на счет discard после then sample - наоборот, все на accept после sample пошло. Проверял telnet ${external_if_addr} 22.

Share this post


Link to post
Share on other sites

mse.rus77

> sample; # default action is accept

лень искать доки, в примерах всегда указывают что accept по умолчанию на sample, это исключение из общего правила

Share this post


Link to post
Share on other sites

mse.rus77

> sample; # default action is accept

лень искать доки, в примерах всегда указывают что accept по умолчанию на sample, это исключение из общего правила

Спасибо.

Share this post


Link to post
Share on other sites

Интересный момент появился, после того, как packet sampling переконфигурировал с firewall filter sample term sample then sample на интерфейс - set interface * unit 0 family inet sample input, в логе появились такие записи:

 

Feb 17 14:29:09  MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Sample:pfe is violated at fpc 0 for 1 times, started at 2017-02-17 14:29:09 GMT-3
Feb 17 14:34:12  MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Sample:pfe has returned to normal. Violated at fpc 0 for 1 times, from 2017-02-17 14:29:09 GMT-3 to 2017-02-17 14:29:11 GMT-3
Feb 17 15:00:47  MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Sample:pfe is violated at fpc 0 for 2 times, started at 2017-02-17 15:00:47 GMT-3
Feb 17 15:05:48  MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Sample:pfe has returned to normal. Violated at fpc 0 for 2 times, from 2017-02-17 15:00:47 GMT-3 to 2017-02-17 15:00:47 GMT-3
Feb 17 15:40:23  MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Sample:pfe is violated at fpc 0 for 3 times, started at 2017-02-17 15:40:22 GMT-3
Feb 17 15:45:22  MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Sample:pfe has returned to normal. Violated at fpc 0 for 3 times, from 2017-02-17 15:40:22 GMT-3 to 2017-02-17 15:40:22 GMT-3
Feb 17 16:46:59  MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Sample:pfe is violated at fpc 0 for 4 times, started at 2017-02-17 16:46:58 GMT-3
Feb 17 16:52:03  MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Sample:pfe has returned to normal. Violated at fpc 0 for 4 times, from 2017-02-17 16:46:58 GMT-3 to 2017-02-17 16:47:03 GMT-3
Feb 17 16:56:34  MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Sample:pfe is violated at fpc 0 for 5 times, started at 2017-02-17 16:56:33 GMT-3
Feb 17 17:02:33  MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Sample:pfe has returned to normal. Violated at fpc 0 for 5 times, from 2017-02-17 16:56:33 GMT-3 to 2017-02-17 16:57:33 GMT-3
Feb 17 17:31:59  MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Sample:pfe is violated at fpc 0 for 6 times, started at 2017-02-17 17:31:58 GMT-3
Feb 17 17:37:39  MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Sample:pfe has returned to normal. Violated at fpc 0 for 6 times, from 2017-02-17 17:31:58 GMT-3 to 2017-02-17 17:32:38 GMT-3

 

Это связано с тем, что много пакетов попадает в sampling и отрабатывает ddos protection? Как лечить? Увеличить стандартные значения?

Edited by mse.rus77

Share this post


Link to post
Share on other sites

mse.rus77

> show ddos-protection protocols sample pfe

Currently tracked flows: 0, Total detected flows: 0
* = User configured value

Protocol Group: Sample

 Packet type: pfe (PFE sample traffic)
   Individual policer configuration:
     Bandwidth:        1000 pps
     Burst:            1000 packets
     Priority:         Medium
     Recover time:     300 seconds
     Enabled:          Yes
     Bypass aggregate: No
   Flow detection configuration:
     Detection mode: Automatic  Detect time:  3 seconds
     Log flows:      Yes        Recover time: 60 seconds
     Timeout flows:  No         Timeout time: 300 seconds
     Flow aggregation level configuration:
       Aggregation level   Detection mode  Control mode  Flow rate
       Subscriber          Automatic       Drop          10 pps
       Logical interface   Automatic       Drop          10 pps
       Physical interface  Automatic       Drop          1000 pps
   System-wide information:
     Bandwidth is no longer being violated
       No. of FPCs that have received excess traffic: 1
       Last violation started at: 2017-02-20 09:34:50 GMT-3
       Last violation ended at:   2017-02-20 09:34:50 GMT-3
       Duration of last violation: 00:00:00 Number of violations: 99
     Received:  3474391             Arrival rate:     10 pps
     Dropped:   105050              Max arrival rate: 866 pps
   Routing Engine information:
     Bandwidth: 1000 pps, Burst: 1000 packets, enabled
     Policer is never violated
     Received:  0                   Arrival rate:     0 pps
     Dropped:   0                   Max arrival rate: 0 pps
       Dropped by aggregate policer: 0
   FPC slot 0 information:
     Bandwidth: 100% (1000 pps), Burst: 100% (1000 packets), enabled
     Policer is no longer being violated
       Last violation started at: 2017-02-20 09:34:50 GMT-3
       Last violation ended at:   2017-02-20 09:34:50 GMT-3
       Duration of last violation: 00:00:00 Number of violations: 99
     Received:  3474391             Arrival rate:     10 pps
     Dropped:   105050              Max arrival rate: 866 pps
       Dropped by this policer:      105050
       Dropped by aggregate policer: 0
       Dropped by flow suppression:  0
     Flow counts:
       Aggregation level     Current       Total detected   State
       Subscriber            0             0                Active

 

Но Max arrival rate 866 pps, при максимуме 1000 pps, почему дропается тогда? И почему не дропалось, когда сэмплинг работал через firewall filter, трафик ведь остался без изменений.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.