[j-nsp] netflow/Tracking DDoS
Harshit Kumar
harshit at juniper.net
Wed Apr 14 19:28:06 EDT 2004
Hi Eric,
... this link might help ....
https://www.juniper.net/techpubs/software/junos/junos57/swconfig57-polic
y/html/firewall-overview.html
Cheers,
Harshit
>-----Original Message-----
>From: juniper-nsp-bounces at puck.nether.net
>[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Eric
>Whitehill
>Sent: Wednesday, April 14, 2004 2:02 PM
>To: juniper-nsp at puck.nether.net
>Subject: [j-nsp] netflow/Tracking DDoS
>
>G'day!
>
>Over the last couple of days, I've been attempting to track
>down a nasty little DDoS attack which has been occuring on and
>off against a customer of mine. I'm mainly a cisco guy, but
>the attacks the customer has been getting are increasing in
>size and amount, and I just can't put an ACL/netflow on any
>sort of Cisco (up to 20,000 pps, and filling an OC-3).
>
>I have an idea of what /20 the attack is destined for, but I
>just can't prove it. I'd be working on M10's, version
>5.7R2.4. I was thinking of doing some sort of policy map, but
>I'm not sure enough on how to do it. Should I attempt to do
>something through firewall? I would like to figure out the
>destination for the attack, and what packets it is consisting
>of. I have been able to do a rate limit on several of the
>major targets (ICMP, port 135 bombs, etc) from my C-brand
>routers, but nothing seems to catch it.
>
>I'm not very Juniper savvy yet (working my way there!) so any
>assistance would be helpful, and at the next Nanog I see you
>at, if it works, I'll buy you a beer.
>
>-Eric
>
>--
>Eric Whitehill - 44.58.39N, 93.15.56W
>Onvoy - ericw at onvoy.com - ASN5006
>"Out the Gig-E, through the router, down the OC-12's, over the
>leased line, off the bridge, past the firewall...nothing but Net."
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>http://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
More information about the juniper-nsp
mailing list