Hi,
Before I start straining my poor brain in the lab ... I was hoping some of
the members of this group have done something similar to this before and
have some advice ....
An increasing number of my customers are requesting the filtering of certain
host address which are either the source of a denial of service attack or
are under attack by a DOS attack.
Currently, we add source/dest address reject term onto an output firewall
filter on the customer interface. I would like to find away of automating
this process (hopefully it can be done within JUNOS and will not require any
scripting).
Since most of my customers who request this filtering are connected with
BGP, my first prize solution would be that the customer could advertise a
/32 with specific communities, one for source-block and one for dest block.
The policy would then take this prefix and add it to a firewall filter as a
source/desc reject depending on the community. Obviously I wouldn't want to
advertise this /32 to other BGP peers.
Unless there is something I have missed, there is no of changing the
firewall policy dynamically in JUNOS. So this would probably need a smart
policy ... maybe applied to the Forwarding Engine to tackle the destination
address attacks by adding a route for the /32 to null 0. (I am not even sure
how to do this .... maybe I can set the next hop to the loopback ... will
have to have a play in the lab ). There is nothing I can see in policy to
"then next-hope reject" so will have to invent something I guess.
As for source address filtering, without being able to add to firewall ...
hmmm ... I haven't a clue ...
Any ideas or experiences appreciated.
Regards,
Ryan
**********************************************************************
This e-mail message is confidential and is intended only for the use of the
individual or entity named above and contains information which is or may be
confidential, non-public or legally privileged. Any dissemination or
distribution of this message other than to its intended recipient is
strictly prohibited. If you have received this message in error, please
notify us by email to postmaster@flagtelecom.com immediately and delete the
original message and all copies from all locations in your computer systems.
This e-mail has been swept by Mailsweeper TM for viruses. However, FLAG
Telecom cannot accept liability for any damage which you may sustain as a
result of software viruses.
**********************************************************************
This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:36 EDT