[j-nsp] best practice for DOS mitigation with M7i's at border
Hannes Gredler
hannes at juniper.net
Sat Dec 2 16:27:02 EST 2006
chris,
see answers/comments inline.
Chris Davies wrote:
> This is the first time we've fought this since migrating to Juniper from
> Cisco, so, we're of course running into a few translation issues from
> our old procedures and also, would prefer to do things the juniper way
> rather than translating cisco methodology to juniper.
> My current approach is:
>
> prefix-list dos-machinename {
> 1.2.3.4/32
> 2.3.4.5/24
> 1.2.3.5/32
> }
>
> firewall {
> filter inbound-internet {
> term 4
> from {
> dos-machinename
> }
> then discard;
> }
> }
>
> Can I put multiple rules in the from section, i.e. when we have another
> attack to be mitigated, i.e. persistent scanners, etc.
>
> Can I do something like:
>
> term 4
> from {
> dos-machinename;
> scanners;
> }
> then discard;
>
> or will that do an 'and' on the conditions?
yes you can do this.
everytime you have like match-types e.g. "prefix-list foo, prefix-list
bar" it reads like an OR. - If there are dislike match-types
it read like an AND. e.g. "prefix-list foo, protocol udp"
filter test {
term 1 {
from {
source-prefix-list {
foo;
bar;
}
}
}
}
> What I'd like to do is have one rule that reads 2 different prefix lists
> so that we can discard traffic coming in from particular IPs that are
> involved in a botnet attack, discard the occasional persistent scanner
> that hammers away incessantly, and a separate policy-list that will
> allow us to blackhole IPs on our network until we can figure out what
> needs to be done to mitigate the attack. I believe I have to have our
> own IPs listed on a separate rule since that is a destination-address
> rule rather than a prefix-list rule.
i would then split it into two terms and give the term a meaningful name.
> Also, our inbound filters currently are not in what looks to be the
> 'best' order, do I need to delete and reenter the rules in the order
> that they should be handled?
that should be less of a concern since the entered policy will be compiled
and optimized before being sent to the hardware.
> Our current term 4 is an accept rule, is there a way to renumber that
> and insert the other rule ahead of it?
>
> Right now it reads:
>
> term 4 {
> from {
> destination-address {
> 1.2.4.0/22;
> 1.2.8.0/22; (our netblocks are listed here)
> 2.2.4.0/22;
> }
> }
> then accept;
> }
enter config mode firewall xyz and do a "insert term 4 before term 2" -
remember the terms are names and not numbers and are executed according to the
config order. (e.g. if you enter a term number "0" it will get appended to the
end of the list)
> I'm guessing I need to renumber that rule somehow and insert my new rule
> ahead of that.
what you may also be interested in is a way to dynamically
propagate your filtering rules into your network rather than re-configuring
your filter-lists on all your border routers.
http://www.juniper.net/techpubs/software/junos/junos81/swconfig81-routing/html/routing-tables-config52.html#1068977
HTH,
/hannes
More information about the juniper-nsp
mailing list