Flowspec malformed advertisements to Juniper switch

63 views
Skip to first unread message

gg

unread,
May 7, 2021, 3:00:26 PM5/7/21
to sFlow-RT
Hi Peter,

I keep getting this output on a juniper switch, when advertising flowspec filters to it from sflow-rt.

May  7 18:47:02  labswitch rpd[7224]: bgp_inetflow_get_prefix: can't resolve inetflow prefix range
May  7 18:47:02  labswitch rpd[7224]: bgp_rcv_nlri:10582: NOTIFICATION sent to XXX.XXX.XXX.XXX (External AS 64666): code 3 (Update Message Error) subcode 10 (bad address/prefix field), Reason: peer XXX.XXX.XXX.XXX (External AS 64666) update included invalid route zero-len/0 (0 of 14)
May  7 18:47:02  labswitch rpd[7224]: Received malformed update from XXX.XXX.XXX.XXX (External AS 64666)
May  7 18:47:02  labswitch rpd[7224]:   Family inet-unicast, prefix 0.0.0.0/0

These advertisements end up triggering a BGP notification from the switch and closing the session.

After a few of these, bgpAddFlow(router_ip,ctl.flowspec)) raises a Java exception:

java.lang.NumberFormatException: For input string: "null"

Are you familiar with this situation? Why would Juniper consider the advertisement to be malformed (invalid route zero-len/0)?

Regards,
Gaston


Peter Phaal

unread,
May 7, 2021, 3:12:23 PM5/7/21
to sFlow-RT
What was the sFlow-RT flowspec object that you were pushing? From the error message, it looks like you were trying to push a default route 0.0.0.0/0?

gg

unread,
May 7, 2021, 3:27:22 PM5/7/21
to sFlow-RT
I'm printing this before sending it to bgpAddFlow:

logInfo(ctl.key);
logInfo(ctl.status);
logInfo(ctl.ipversion);
logInfo(ctl.target);
logInfo(ctl.action);
logInfo(ctl.protocol);
logInfo(ctl.flowspec.match.destination);
logInfo(ctl.flowspec.match.version);
logInfo(ctl.flowspec.match.protocol);

And looks ok, I'm hiding public IP addresses but they are not 0.0.0.0:

sflow-rt    | 2021-05-07T18:49:00Z INFO: DDoS filter XXX.XXX.XXX.XXX 1
sflow-rt    | 2021-05-07T18:49:00Z INFO: filter-XXX.XXX.XXX.XXX-1
sflow-rt    | 2021-05-07T18:49:00Z INFO: pending
sflow-rt    | 2021-05-07T18:49:00Z INFO: 4
sflow-rt    | 2021-05-07T18:49:00Z INFO: XXX.XXX.XXX.XXX
sflow-rt    | 2021-05-07T18:49:00Z INFO: filter
sflow-rt    | 2021-05-07T18:49:00Z INFO: 1
sflow-rt    | 2021-05-07T18:49:00Z INFO: XXX.XXX.XXX.XXX
sflow-rt    | 2021-05-07T18:49:00Z INFO: 4
sflow-rt    | 2021-05-07T18:49:00Z INFO: =1

I'm generating a different key that the one being used in ddos-protect, but I'm using the same functions.

Regards,
Gaston

Peter Phaal

unread,
May 7, 2021, 3:54:14 PM5/7/21
to sFlow-RT
Thanks for the output. Nothing jumps out.

DDoS Mitigation with Juniper, sFlow, and BGP Flowspec describes some testing done with Juniper. Does the unmodified version of ddos-protect work in your setup?

The keys used to define flows in the ddos-protect script are highly factored and all have specific structure:
1. target address
2. group name for target address
3. protocol

These fields are parsed in the event handler:

The factoring in ddos-protect makes it difficult to extend with new signatures if they don't match the existing pattern. You might find it easier to start with a simple controller like the one in the article, Real-time DDoS mitigation using sFlow and BGP FlowSpec, since the simpler script is easier to debug.

The REST API explorere is also a good way to experiment with Flowspec rules. The bgpAddFlow() method doesn't do much in the way of validation - it expects the program creating the flowspec rule to create well formed rules.

gg

unread,
May 7, 2021, 4:30:19 PM5/7/21
to sFlow-RT
Yes Peter, It's my fault somewhere! Sflow-RT Flowspec is ok.
Reply all
Reply to author
Forward
0 new messages