Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

DDoS ARP

tec1_
New Contributor
‎03-14-2014 05:43:AM
‎03-14-2014 05:43:AM

DDoS ARP

Twice we saw arp DDoS from Layer 2 networks Operator to our different routers. It was above 1,5 million arp packets per second which dropped default arp policer.

 

[email protected]> show policer __default_arp_policer__   

Policers:

Name                                                Bytes              Packets

__default_arp_policer__                       61113045326           1328544093

 

{master}djkj

[email protected]> show policer __default_arp_policer__   

Policers:

Name                                                Bytes              Packets

__default_arp_policer__                       61176856048           1329931282

 

{master}

 

 

 

But besides dangerous arp packets was dropped legitimate arp packets. In first  accident we had lost management of two Cisco switch and in second accident we had lost many services our clients. In second accident traffic on the subinterface grew up  before 373 Mb/s but policer to rate limit traffic on this subinterface didn't dropped exceeding traffic.

Why?

 

[email protected]> show policer lim1m-xe-0/1/0.974-inet-i  

Policers:

Name                                                Bytes              Packets

lim1m-xe-0/1/0.974-inet-i                               0                    0

 

{master}

[email protected]> show policer lim1m-xe-0/1/0.974-inet-o   

Policers:

Name                                                Bytes              Packets

lim1m-xe-0/1/0.974-inet-o                        57932665                40992

 

{master}

 

 

 

The correct solution the problem was use policer Rate Limiting ARP packets on the subinterface.

 

firewall {

 policer ARP-Policer {

 if-exceeding {

 bandwidth-limit 8k;

 burst-size-limit 1500;

 }

 then discard;

 }

}

 

interfaces {

 xe-0/1/0 {

 unit 974 {

 family inet {

 policer {

 arp ARP-Policer;

 }

 }

 }

 }

}

 

 

Best regards,

Alexey

0 Kudos
5 REPLIES 5
kalagesan_
Super Contributor
‎03-14-2014 06:05:AM
‎03-14-2014 06:05:AM

Re: DDoS ARP

Hi Alexey,

 

I hope your query is on routers, please post the query in below forum. This forum is only for SBR/UAC/OAC/pulse

 

 

http://forums.juniper.net/t5/Routing/bd-p/IProuting

 

Regards,

kannan

 

 

0 Kudos
tec1_
New Contributor
‎03-14-2014 10:09:AM
‎03-14-2014 10:09:AM

Re: DDoS ARP

Hello Kannan,

Very thanks. How I can delete my post here?

 

Best regards, 

Alexey

0 Kudos
kalagesan_
Super Contributor
‎03-16-2014 11:21:PM
‎03-16-2014 11:21:PM

Re: DDoS ARP

Hi Alexey,

 

I don't think  we have a delete message option in this forum however I have added #mistakeen post# to this query.

 

This will take care.

Regards,

Kannan

0 Kudos
tec1_
New Contributor
‎03-17-2014 09:19:PM
‎03-17-2014 09:19:PM

Re: DDoS ARP

Hi Kannan,

Many thank.

0 Kudos
spuluka
Super Contributor
‎03-20-2014 04:26:AM
‎03-20-2014 04:26:AM

Re: DDoS ARP

See the discussion on this post in the Routing forum:

 

http://forums.juniper.net/t5/Routing/DDoS-ARP/td-p/234006

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home
0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.