Re: [j-nsp] (d)DoS handling

From: Jared Mauch (jared@puck.nether.net)
Date: Fri Apr 06 2001 - 00:10:44 EDT


On Fri, Apr 06, 2001 at 05:53:53AM +0200, Dmitri Kalintsev wrote:
> On Thu, Apr 05, 2001 at 06:53:56PM -0700, Bradley Dunn wrote:
> > At 03:27 AM 4/6/2001 +0200, Dmitri Kalintsev wrote:
> > >I've heard rumors that JunOS has some sort of knobs for handling (d)DoS,
> > >such as packet floods with spoofed source, etc (we all know them all too
> > >well). Is there such thing, and if there is then what IS it and how exactly
> > >it works?
> >
> > Check out this application note on minimizing the effects of DoS attacks:
> > http://www.juniper.net/techcenter/app_note/350001.html
>
> Nothing new or particularly exciting. *sigh* Anything else?
>
> By the way, does Juniper have an analog of ip verify reverse-path unicast?
> As well, I vaguely recall somebody in cisco-nsp mentioning cisco's
> extensions to rpf unicast verification, something like "ip verify
> reverse-path unicast relaxed", when it would drop packets that are not in
> FIB at all rather than in FIB for this particular interface packet is
> received on. Does Juniper have something like this or have plans to have it
> implemented? (I could not find anything about these extensions on cisco web
> site, though..)
        
        I think you are talking about the
"ip verify unicast source reachable-via any"

        This drops packets where the src in the header has no return
path at all. ie: i don't have a route to anything 10/8 in my forwarding
table. If I get anything with a source out of 10/8, I can drop those
on the Cisco. (as of today, you can not do this on Engine-2 Linecards).

        The ability to do this on ocN interfaces on the Juniper would
be wonderful, IMHO :) The added ability of the more strict rpf check
is also useful. This would allow customer based circuits to be filtered.

        - Jared

--
Jared Mauch  | pgp key available via finger from jared@puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.



This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:42 EDT