The errors can be classified as Input and Output. Input errors account for the erroneous counters, which occur at the input queue of SRX interface.
Errors: Sum of the incoming frame aborts and FCS errors.
Drops: Number of packets dropped by the input queue of the I/O Manager ASIC. If the interface is saturated, this number increments once, for every packet that is dropped by the ASIC's RED mechanism.
Framing errors:Number of packets received with an invalid frame checksum (FCS).
Runts: Number of received frames that are smaller than the runt threshold.
Policed discards: Number of frames that the incoming packet match code discarded, as they were not recognized or not of interest. Usually, this field reports protocols that the JUNOS software does not handle.
L3 incompletes:Number of incoming packets discarded, as they have failed Layer 3 sanity checks for the headers. For example, a frame with less than 20 bytes of available IP header is discarded.
L2 channel errors:Number of times the software did not find a valid logical interface for an incoming frame.
L2 mismatch timeouts:Number of malformed or short packets which caused the incoming packet handler to discard the frame as unreadable.
FIFO errors:Number of FIFO errors in the receive direction that are reported by the ASIC on the PIC. If this value is ever non-zero, the PIC is probably malfunctioning.
Resource errors:Sum of transmit drops.
Output errors can be broadly summarized as follows:
Carrier transitions:Number of times that the interface has gone from down to up. This number does not normally increment quickly; increasing only when the cable is unplugged, the far-end system is powered down and then up, or another issue occurs. If the number of carrier transitions increments quickly (perhaps once every 10 seconds), the cable, far-end system, PIC or PIM is malfunctioning.
Errors:Sum of the outgoing frame aborts and FCS errors.
Drops: The number of packets which are dropped by the output queue of the I/O Manager ASIC. If the interface is saturated, this number increments once for every packet, which is dropped by the ASIC's RED mechanism.
Collisions:Thenumber of Ethernet collisions. The Gigabit Ethernet PIC supports only full-duplex operation; so for Gigabit Ethernet PICs, this number should always remain 0. If it is non-zero, there is a software bug.
Aged packets:The number of packets which remained in the shared packet SDRAM for so long, that the system automatically purged them. The value in this field should never increment. If it does, it is most likely a software bug or possible malfunctioning hardware.
FIFO errors:The number of FIFO errors in the send direction, as reported by the ASIC on the PIC. If this value is ever non-zero, the PIC is probably malfunctioning.
HS link CRC errors:The number of errors on the high-speed links between the ASICs, which are responsible for handling the router interfaces.
MTU errors:The number of packets whose size exceeded the interface MTU.
BGP FlowSpec은 BGP peer간에 신속하게 filtering and policing 기능을 전파시켜 DDOS 공격을 방지하는 역할을 한다.
기존의 RTBH는 ddos공격을 대상의 주소의 next-hop 을 null/discard 로 전파하여 공격을 방지 하였다. 하지만 이럴 경우 공격 공격대상이 unreachable 상태에 빠지게 된다.
FlowSpec는 기존의 RTBH와는 다르게 null/discard 동작만이 아니라 source , destination, L4 parameter, packet parameter( length, fragmentation , etc, ) 등등 더 다양한 옵션을 사용 하여 ddos 공격에 대응 할 수 있다.
Juniper FlowSpec 동작
아래 그림과 같이 BGP peer를 통해 전달받은 flow를 validation 과정을 거쳐 match 되는 flow를 Local-RIB에 저장하고 firewall filter로 변환하여 각각에 PFE에 내려주면 모든 인터페이스에 해당 filter를 적용시킨다.
LAB TEST
망 구성도
[ R1 ] --------------------- [ R2 ]
1.1.1.1 192.168.0.0/24 2.2.2.2
R1
set logical-systems TEST_1 interfaces xe-1/2/0 unit 0 family inet address 10.10.10.1/24
set logical-systems TEST_1 interfaces lo0 unit 1 family inet address 1.1.1.1/32
set logical-systems TEST_1 protocols bgp group TEST type internal
set logical-systems TEST_1 protocols bgp group TEST local-address 1.1.1.1
set logical-systems TEST_1 protocols bgp group TEST family inet unicast
set logical-systems TEST_1 protocols bgp group TEST family inet flow no-validate TEST_default
set logical-systems TEST_1 protocols bgp group TEST neighbor 2.2.2.2
set logical-systems TEST_1 policy-options policy-statement TEST_default term 10 then accept
set logical-systems TEST_1 policy-options policy-statement TEST_default term 5 then reject
set logical-systems TEST_1 routing-options static route 2.2.2.2/32 next-hop 10.10.10.2
set logical-systems TEST_1 routing-options autonomous-system 1234
R2
set interfaces xe-1/3/0 unit 0 family inet address 10.10.10.2/24
set interfaces lo0 unit 2 family inet address 2.2.2.2/32
set routing-options static route 1.1.1.1/32 next-hop 10.10.10.1
set routing-options autonomous-system 1234
set routing-options flow route TEST match protocol icmp
set routing-options flow route TEST then discard
set protocols bgp group TEST type internal
set protocols bgp group TEST local-address 2.2.2.2
set protocols bgp group TEST family inet unicast
set protocols bgp group TEST family inet flow no-validate TEST
set protocols bgp group TEST cluster 2.2.2.2
set protocols bgp group TEST neighbor 1.1.1.1
set policy-options policy-statement TEST then accept
-> R2 에서 icmp discard 하는 flow (TEST) 를 생성하여 R1 에게 전달함.
BGP를 통해 flow를 전달받은 R1은 수신한 flow 를 보고 firewall filter 를 생성하여 모든 인터페이스에 적용시킨다.
R1에서 R2로 ping을 시도하면 수신받은 flow 기반으로 생성한 firewall filter에 의하여 icmp packet이 Drop 된다.
R1 firewall filter ( R1에서 R2로 ping 시도 후 )
icraft@Mx960# run show firewall
Filter: __default_bpdu_filter__
Filter: __flowspec_default_inet__
Counters:
Name Bytes Packets
*,*,proto=1 588 7
[edit]
icraft@Mx960#
수신받은 flow는 show route 명령어를 통해 확인가능 하다. 해당 flow는 inetflow.0 table에 저장된다.