Editer l'article Suivre ce blog Administration + Créer mon blog
22 décembre 2014 1 22 /12 /décembre /2014 15:44

Here it's a short post to explain how you can monitor the control plane activity with ddos-protection's statistics and a simple op-script.


ddos-protection is a default feature only available on MPC cards which allows to secure the linecard's CPU and the Routing-engine's CPU. ddos-protection maintains per protocol, and for some protocols per packet-type, the current and maximum arrival packet rates. Statistics are available per MPC and per chassis (RE point of view).


Sample cli output for ICMP protocol :


sponge@bob> show ddos-protection protocols icmp statistics
Packet types: 1, Received traffic: 1, Currently violated: 0

Protocol Group: ICMP

  Packet type: aggregate
    System-wide information:
      Aggregate bandwidth is no longer being violated
        No. of FPCs that have received excess traffic: 1
        Last violation started at: 2014-11-21 11:20:33 CET
        Last violation ended at:   2014-11-21 11:20:39 CET
        Duration of last violation: 00:00:06 Number of violations: 1
      Received:  55403               Arrival rate:     0 pps
      Dropped:   7                   Max arrival rate: 48 pps


Packet-type "aggregate" means "all packet types". Actually, this is the sum. The Max arrival rate is the maximum rate observed since the last clear of the statistics or the last reboot.


I developed a simple op script that displays per protocol/packet-type the current and max observed rates of the routing-engine. Only packet-types with a Max Arrival Rate upper than 0 are displayed.


This command allows you to monitor your control plane in real time and can help you to tune your ddos policers.


Here the chechcp.slax code :


version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";

/* This the version 1.0 of the op script checkcp */
/* Written by David roy                           */
/* door7302@gmail.com                             */

match / {
<op-script-results> {
/* Take traces */
var $myrpc = <get-ddos-protocols-statistics> {};
var $myddos = jcs:invoke ($myrpc);
/* Now Display */
 <output> "";
 <output> "";
 <output> "+-------------------------------------------------------------------------+";
 <output> jcs:printf('|%-20s |%-20s |%-11s |%-10s\n',"Protocol","Packet Type","Current pps","Max pps Observed");
 <output> "+-------------------------------------------------------------------------+";
 for-each( $myddos/ddos-protocol-group/ddos-protocol/packet-type ) {
    var $name = .;
    if (../ddos-system-statistics/packet-arrival-rate-max != "0"){
      <output> jcs:printf('|%-20s |%-20s |%-11s |%-10s\n',../../group-name,$name,../ddos-system-statistics/packet-arrival-rate,../ddos-system-statistics/packet-arrival-rate-max);
<output> "+-------------------------------------------------------------------------+";

Just copy/paste the code above in /var/db/scripts/op/checkcp.slax file. Then enable the script by adding this configuration:


  set system scripts op file checkcp.slax
commit and-quit


Finally play with the op-script:


sponge@bob> op checkcp
|Protocol             |Packet Type          |Current pps |Max pps Observed
|ICMP                 |aggregate            |0           |48
|OSPF                 |aggregate            |0           |2
|PIM                  |aggregate            |0           |2
|BFD                  |aggregate            |0           |11
|LDP                  |aggregate            |0           |3
|BGP                  |aggregate            |1           |17
|SSH                  |aggregate            |3           |249
|SNMP                 |aggregate            |0           |130
|LACP                 |aggregate            |1           |2
|ISIS                 |aggregate            |0           |5
|Reject               |aggregate            |0           |88080
|TCP-Flags            |aggregate            |6           |163
|TCP-Flags            |initial              |0           |1
|TCP-Flags            |established          |6           |163
|PIMv6                |aggregate            |0           |1
|Sample               |aggregate            |0           |7431
|Sample               |host                 |0           |7431





Partager cet article


Thank you for this post. I was able to modify it to output a table of DDoS dropped packet counts which cuts through the vast haystack of data the CLI usually generates.
Thank you for this! I have been trying to think of new and creative gift ideas for my friends birthdays that are coming up!
Great tool, David - thanks! Worth noting Juniper PR 924807 which documents an issue where packets being forwarded to a local subnet and needing ARP resolution get queued incorrectly by the DDoS protection code, and as a result in a throttled host queue. The workaround, unfortunately, is to turn off the protection.
Thank you. yes I was aware of this PR.