Flowspec malformed advertisements to Juniper switch

[gg]

Hi Peter,

I keep getting this output on a juniper switch, when advertising flowspec filters to it from sflow-rt.

May  7 18:47:02  labswitch rpd[7224]: bgp_inetflow_get_prefix: can't resolve inetflow prefix range

May  7 18:47:02  labswitch rpd[7224]: bgp_rcv_nlri:10582: NOTIFICATION sent to XXX.XXX.XXX.XXX (External AS 64666): code 3 (Update Message Error) subcode 10 (bad address/prefix field), Reason: peer XXX.XXX.XXX.XXX (External AS 64666) update included invalid route zero-len/0 (0 of 14)

May  7 18:47:02  labswitch rpd[7224]: Received malformed update from XXX.XXX.XXX.XXX (External AS 64666)

May  7 18:47:02  labswitch rpd[7224]:   Family inet-unicast, prefix 0.0.0.0/0

These advertisements end up triggering a BGP notification from the switch and closing the session.

After a few of these, bgpAddFlow(router_ip,ctl.flowspec)) raises a Java exception:

java.lang.NumberFormatException: For input string: "null"

Are you familiar with this situation? Why would Juniper consider the advertisement to be malformed (invalid route zero-len/0)?

Regards,

Gaston

[Peter Phaal]

What was the sFlow-RT flowspec object that you were pushing? From the error message, it looks like you were trying to push a default route 0.0.0.0/0?

[gg]

I'm printing this before sending it to bgpAddFlow:

logInfo(ctl.key);

logInfo(ctl.status);

logInfo(ctl.ipversion);

logInfo(ctl.target);

logInfo(ctl.action);

logInfo(ctl.protocol);

logInfo(ctl.flowspec.match.destination);

logInfo(ctl.flowspec.match.version);

logInfo(ctl.flowspec.match.protocol);

And looks ok, I'm hiding public IP addresses but they are not 0.0.0.0:

sflow-rt    | 2021-05-07T18:49:00Z INFO: DDoS filter XXX.XXX.XXX.XXX 1

sflow-rt    | 2021-05-07T18:49:00Z INFO: filter-XXX.XXX.XXX.XXX-1

sflow-rt    | 2021-05-07T18:49:00Z INFO: pending

sflow-rt    | 2021-05-07T18:49:00Z INFO: 4

sflow-rt    | 2021-05-07T18:49:00Z INFO: XXX.XXX.XXX.XXX

sflow-rt    | 2021-05-07T18:49:00Z INFO: filter

sflow-rt    | 2021-05-07T18:49:00Z INFO: 1

sflow-rt    | 2021-05-07T18:49:00Z INFO: XXX.XXX.XXX.XXX

sflow-rt    | 2021-05-07T18:49:00Z INFO: 4

sflow-rt    | 2021-05-07T18:49:00Z INFO: =1

I'm generating a different key that the one being used in ddos-protect, but I'm using the same functions.

Regards,

Gaston

[Peter Phaal]

Thanks for the output. Nothing jumps out.

DDoS Mitigation with Juniper, sFlow, and BGP Flowspec describes some testing done with Juniper. Does the unmodified version of ddos-protect work in your setup?

The keys used to define flows in the ddos-protect script are highly factored and all have specific structure:

1. target address

2. group name for target address

3. protocol

These fields are parsed in the event handler:

https://github.com/sflow-rt/ddos-protect/blob/master/scripts/ddos.js#L556

The factoring in ddos-protect makes it difficult to extend with new signatures if they don't match the existing pattern. You might find it easier to start with a simple controller like the one in the article, Real-time DDoS mitigation using sFlow and BGP FlowSpec, since the simpler script is easier to debug.

The REST API explorere is also a good way to experiment with Flowspec rules. The bgpAddFlow() method doesn't do much in the way of validation - it expects the program creating the flowspec rule to create well formed rules.

[gg]

Yes Peter, It's my fault somewhere! Sflow-RT Flowspec is ok.