RES: [j-nsp] DDOS to a 802.1ad trunk address

cport at rawbw.com cport at rawbw.com
Thu Apr 8 18:49:51 EDT 2004 

Hello Daniel:

How about the following firewall filter -- of course you have to add in your 
own prefix-list aliases using policy-options. Comes mostly from Stephen Gills
"Junos Security Template" http://www.qorbit.net/documents/junos-template.htm .


firewall {
family inet {
filter lo0-protect-hard-in {
    policer ssh-telnet-1m {
        if-exceeding {
            bandwidth-limit 1m;
            burst-size-limit 100k;
        }
        then discard;
    }
    policer icmp-1m {
        if-exceeding {
            bandwidth-limit 1m;
            burst-size-limit 100k;
        }
        then discard;
    }
    policer utility-3m {
        if-exceeding {
            bandwidth-limit 3m;
            burst-size-limit 300k;
        }
        then discard;
    }
    policer tcp-control-1m {
        if-exceeding {
            bandwidth-limit 1m;
            burst-size-limit 100k;
        }
        then discard;
    }
/* Rate limit TCP control traffic from trusted sources */
    term 1 {
        from {
		source-prefix-list {
        	nms-workstations;
		internal-bgp-talkers;
    		}
            protocol tcp;
            tcp-flags "(syn & !ack) | fin | rst";
        }
        then {
            policer tcp-control-1m;
            accept;
        }
    }
/* Protect BGP - not rate-limited! */
    term 2 {
        from {
		source-prefix-list {
        	internal-bgp-talkers;
    		}
            protocol tcp;
            port bgp;
        }
        then {
            accept;
        }
    }
/* Protect RSVP */
    term 3 {
        from {
		source-prefix-list {
        	internal-bgp-talkers;
    		}
            protocol rsvp;
        }
        then {
            accept;
        }
    }
/* Protect OSPF */
    term 4 {
        from {
		source-prefix-list {
        	internal-ospf-talkers;
    		}
            protocol ospf;
        }
        then {
            accept;
        }
    }
/* Protect RIP*/
    term 5 {
        from {
		source-prefix-list {
        	internal-rip-talkers;
    		}
            protocol rip;
        }
        then {
            accept;
        }
    }
/* SSH is allowed from trusted servers only */
    term 6 {
        from {
            source-prefix-list {
                nms-workstations;
            }
            protocol tcp;
            destination-port [telnet ssh];
        }
        then {
            policer ssh-telnet-1m;
            accept;
        }
    }
/* SNMP, NTP, and RADIUS from trusted servers only */
    term 7 {
        from {
            source-prefix-list {
                nms-workstations;
            }
            protocol udp;
            port [ snmp ntp radius ];
        }
        then {
            policer utility-3m;
            accept;
        }
    }
/* Block unwanted ICMP traffic, and rate-limit the rest */
    term 8 {
        from {
            protocol icmp;
            icmp-type [ echo-request echo-reply unreachable time-exceeded
                source-quench ];
        }
        then {
            policer icmp-1m;
            accept;
        }
    }
/* Deny and log all other traffic */
    term 9 {
        then {
            count lo0-discard-other;
            discard;
        }
    }
}
}
}

More information about the juniper-nsp mailing list