[j-nsp] Dynamic blocklists/blacklists...?

Jeff Aitken jaitken at aitken.com
Tue Aug 16 18:49:30 EDT 2005

On Tue, Aug 16, 2005 at 07:30:10PM +0000, Chris Morrow wrote:
> 1) setup dsc0 interface with /30 address
> 2) setup dsc0 interface with output acl content:
>    filter drop-all-count {
>      term deny-count {
>         then count deny-dsc0 discard;
>      }
>    }
> 3) reset nexthop or set nexthop in quagga/bgpd to /30 far-end

Unless I'm missing something, this only works for dst-ip based
filtering.  If you have a list of bad src-ips (e.g., from
IDS/Arbor/whatever) and want to throw away traffic from them, you
need something else due to the aforementioned difference in how
Cisco & Juniper implement the uRPF check.

> be happy, don't do 'dynamic' filters....

Agreed; my preference would be for Juniper to mimic the Cisco behavior
(i.e., it should be possible to configure the box such that the uRPF
check FAILS if the route to the src-ip of an incoming packet recurses
to null0) but as I recall they said that this was hard/impossible.

However, as Pedro notes, the distributed flow-spec approach gives
you more granularity such as the ability to filter based on src-ip,
proto, port, etc.  It probably won't be long before your favorite
IDS/DDoS detection software will give you the option of injecting
filters this way... which is scary. :-)


More information about the juniper-nsp mailing list