Ddos attack knocking down A10 by pps

Even without any client on the CGN, an attack of less than 500 Mb with millions of ppps could bring down A10.


I just have a route to A10's WAN address like x.x.x.x/24 192.168.0.2


Even without any session.


I tried blackhole like ip route x.x.x.x /24 lif 100 with no changes. The attack bring down A10 (All data CPUS increase to 100%)


Is there any command to discard illegitimate packets and not use as much processing?

Comments

  • siddharthaasiddharthaa Member, Administrator admin
    edited January 2023

    Hi,


    A10 offers several integrated DDoS protection features for CGNAT environments, such as:

    • IP Blacklist for DDoS Protection
    • IP Anomaly Filtering
    • Connection Rate Limiting
    • Selective Filtering for LSN
    • Reduced CPU Overhead for CPU Round Robin
    • SYN Cookie


    For a quick overview of these features, you can refer to the solution brief:

    https://www.a10networks.com/wp-content/uploads/A10-SB-DDoS-Protection-for-CGNAT-Environments.pdf

    For more details, including configuration commands, you may want to refer to ACOS IPv4-to-IPv6 Transition Solutions Guide.


    For selective filtering, ACOS tracks protocol packets per second rate limit. These limits are matched on a destination 2-tuple basis (NAT IP and NAT port). The thresholds are not configured for a specific destination 2-tuple. Rather, ACOS tracks the destination 2-tuple of all incoming packets and drops packets when the threshold is exceeded for any given destination 2-tuple. 

    Here is a sample configuration snippet for Selective Filtering from the configuration guide:

    ACOS(config)# cgnv6 ddos-protection packets-per-second ip 5000 action drop 
    ACOS(config)# cgnv6 ddos-protection packets-per-second tcp 8000 
    ACOS(config)# cgnv6 ddos-protection packets-per-second udp 6000 
    ACOS(config)# cgnv6 ddos-protection packets-per-second other 15000 
    ACOS(config)# cgnv6 ddos-protection logging enable 
    ACOS(config)# cgnv6 ddos-protection enable
    


    For more effective filtering to protect CPUs, destination 2-tuples (NAT IP and NAT port) are programmed into the hardware on supported FTA platforms.


    Hope that helps.

  • vypervyper Member

    But the attack happens with no traffic in the box at that moment, zero cgnat sessions, zero clients. The cgnat features were configured but not currently being used. Customers were in another box. Attacks of several bunches of UDP packets for all unused public ips caused the damage.

  • siddharthaasiddharthaa Member, Administrator admin

    Drop uses much fewer CPU cycles in comparison to normal CGN or Firewall actions.

    The alternatives to ensure that the CPU does not go high are:

    1. Use DDoS mitigation capability and inform upstream routers about flows that need to be dropped (simple BGP black-hole)
    2. Use SPE appliances, DDoS configuration creates entries in SPE tables and they perform the drops in hardware 


  • vypervyper Member

    Yes, that's the problem, it should be much less cycles and drop packets easily.

    Which didn't actually happen. Intermediate routers were not so impacted.

Sign In or Register to comment.