Re: [j-nsp] Dynamic source/dest address filtering

From: Clayton Fiske (clay@bloomcounty.org)
Date: Mon Jul 15 2002 - 13:30:54 EDT

Next message: HHH: "[j-nsp] OSPF NSSA & ABR's"
Previous message: Sher, Ryan: "[j-nsp] Dynamic source/dest address filtering"
In reply to: Sher, Ryan: "[j-nsp] Dynamic source/dest address filtering"
Next in thread: Stephen Gill: "RE: [j-nsp] Dynamic source/dest address filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

On Mon, Jul 15, 2002 at 12:55:32PM +0100, Sher, Ryan wrote:
> Before I start straining my poor brain in the lab ... I was hoping some of
> the members of this group have done something similar to this before and
> have some advice ....
>
> An increasing number of my customers are requesting the filtering of certain
> host address which are either the source of a denial of service attack or
> are under attack by a DOS attack.
>
> Currently, we add source/dest address reject term onto an output firewall
> filter on the customer interface. I would like to find away of automating
> this process (hopefully it can be done within JUNOS and will not require any
> scripting).
>
> Since most of my customers who request this filtering are connected with
> BGP, my first prize solution would be that the customer could advertise a
> /32 with specific communities, one for source-block and one for dest block.
> The policy would then take this prefix and add it to a firewall filter as a
> source/desc reject depending on the community. Obviously I wouldn't want to
> advertise this /32 to other BGP peers.
>
> Unless there is something I have missed, there is no of changing the
> firewall policy dynamically in JUNOS. So this would probably need a smart
> policy ... maybe applied to the Forwarding Engine to tackle the destination
> address attacks by adding a route for the /32 to null 0. (I am not even sure
> how to do this .... maybe I can set the next hop to the loopback ... will
> have to have a play in the lab ). There is nothing I can see in policy to
> "then next-hope reject" so will have to invent something I guess.
>
> As for source address filtering, without being able to add to firewall ...
> hmmm ... I haven't a clue ...

I believe one of the DoS tracking/blocking systems out there uses the
loopback technique to block undesired packets. It involves setting a
bogus IP (such as 1.1.1.1) on loopback and then any router on the
network can originate a /32 with 1.1.1.1 as the next-hop, thus killing
the traffic at the edges.

-c

Next message: HHH: "[j-nsp] OSPF NSSA & ABR's"
Previous message: Sher, Ryan: "[j-nsp] Dynamic source/dest address filtering"
In reply to: Sher, Ryan: "[j-nsp] Dynamic source/dest address filtering"
Next in thread: Stephen Gill: "RE: [j-nsp] Dynamic source/dest address filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:36 EDT