[j-nsp] Dynamic blocklists/blacklists...?

Michael Loftis mloftis at wgops.com
Tue Aug 16 13:15:18 EDT 2005 


--On August 10, 2005 12:02:21 PM -0400 Phil Shafer <phil at juniper.net> wrote:

> Michael Loftis writes:
>> Is there any BCP for maintaining automatic blocklists in JunOS?
>
> Unfortunately not.  We've got reasonable hooks in JUNOS for automation
> for need to write them up as a cohesive guide.  The general advice
> would be:

That's not quite a solution though longer term.  For the size of the org 
I'm managing now it's fine to touch every router as fast as possible in 
DoS/DDoS situations, or in the case of just malicious traffic (dictionary 
attacks, network scans, port scans, and other recon activity), but what if 
you've got 10, 20, or 30 routers?  With vendor C's equipment and loose RPF 
enabled any routes from BGP (or any other IGP/EGP I'd assume) that end up 
going to the Null0 device get a little different treatment.  Outgoing 
packets are obviously handled as normal, but during the incoming RPF check 
the system looks at the source address, makes sure it's in the FIB, and if 
it is it checks to ensure it's not attached to the Null0 interface.  If it 
IS attached to null0 the *incoming* packet is dropped based on the source 
address.

I find this an extremely useful feature, and it certainly trumps having to 
touch each router, and manually or programatically ensure the prefix lists 
are kept in sync.  Like what if a router is down for an extended period, 
then comes back up?  Then the management scripts have to 'know' the router 
is back (most NMS could fire this off) and make sure it's prefix list is in 
sync.

To me....it just seems far easier to have the route server broadcast the 
data via iBGP...

>> I need to
>> be able to have entries added quickly and automatically, but the problem
>> is any time an entry is added to say a prefix list everything gets
>> HUPed...this is mostly fine except that the ntp will never sync in an env
>> where anything is slightly busy since it keeps getting HUP signals.
>
> Modern sw uses what we call a "partial" commit, so daemon's whose
> configuration hasn't changed are not HUP'd.


I'm not entirely sure this is the case.  My NTPd is definitely being 
disturbed almost every time I commit.  I can't say every time because I 
haven't been watching it like a hawk, but I'll start to correllate data 
now.  If I get enough data for a bug report I'll open a JTAC case.


Thanks,

Michael Loftis

More information about the juniper-nsp mailing list