RE: [j-nsp] Dynamic source/dest address filtering

From: Stephen Gill (gillsr@yahoo.com)
Date: Wed Jul 17 2002 - 22:18:23 EDT


Ryan,
How goes it in the UK? A couple of points possibly worth mentioning...

Source Filtering
- Aside from manual firewall filters, I don't know of a way to do this.
The best thing would be to filter as far as possible upstream with
automatic source traceback.

Destination Filtering
- Create a well known (by you) discard route on all your border routers.
It is advisable to have discard routes in your routing table for bogon
networks anyways, so presumably you could just point to one of these. A
static discard route is the same as using null0. See:
"junos-template.pdf" and "junos-secure-template.pdf".
- Define a community you would like to use for Destination prefix
filtering.
- Make sure your customers have prefix-lists limiting what they can
advertise to you to their list of assigned prefixes.
- Look for the DOS community from your customers, add the no-export
community if it is not already set, and set the next-hop to the discard
static route already present in your routing table from step 1.
Obviously it is key that customer A not be able to advertise prefixes of
customer B, much less set communities to block traffic to customer B's
prefix.
- You an also announce a DoS community and prefix internally, and
achieve the same filtering effect. The end result is that you filter
traffic to the given destination at your border routers, and it is only
until you stop advertising the "DoS" community. Unfortunately you may
be performing the attacker's job for him/her as that may have been the
desired result.
- You do NOT want to use the loopback interface for this since it will
increase overhead by sending traffic to the router rather than
discarding it immediately.

Cheers,
-- steve



This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:36 EDT