[j-nsp] best practice for DOS mitigation with M7i's at border

Hannes Gredler hannes at juniper.net
Sat Dec 2 16:27:02 EST 2006


chris,

see answers/comments inline.

Chris Davies wrote:
> This is the first time we've fought this since migrating to Juniper from 
> Cisco, so, we're of course running into a few translation issues from 
> our old procedures and also, would prefer to do things the juniper way 
> rather than translating cisco methodology to juniper.

> My current approach is:
> 
> prefix-list dos-machinename {
>   1.2.3.4/32
>   2.3.4.5/24
>   1.2.3.5/32
> }
> 
> firewall {
>    filter inbound-internet {
>      term 4
>        from {
>          dos-machinename
>        }
>        then discard;
>    }
> }
> 
> Can I put multiple rules in the from section, i.e. when we have another 
> attack to be mitigated, i.e. persistent scanners, etc.
>
> Can I do something like:
> 
>      term 4
>        from {
>          dos-machinename;
>          scanners;
>        }
>        then discard;
> 
> or will that do an 'and' on the conditions?

yes you can do this.
everytime you have like match-types e.g. "prefix-list foo, prefix-list
bar" it reads like an OR. - If there are dislike match-types
it read like an AND. e.g. "prefix-list foo, protocol udp"

filter test {
     term 1 {
         from {
             source-prefix-list {
                 foo;
                 bar;
             }
         }
     }
}

> What I'd like to do is have one rule that reads 2 different prefix lists 
> so that we can discard traffic coming in from particular IPs that are 
> involved in a botnet attack, discard the occasional persistent scanner 
> that hammers away incessantly, and a separate policy-list that will 
> allow us to blackhole IPs on our network until we can figure out what 
> needs to be done to mitigate the attack.  I believe I have to have our 
> own IPs listed on a separate rule since that is a destination-address 
> rule rather than a prefix-list rule.

i would then split it into two terms and give the term a meaningful name.

> Also, our inbound filters currently are not in what looks to be the 
> 'best' order, do I need to delete and reenter the rules in the order 
> that they should be handled?

that should be less of a concern since the entered policy will be compiled
and optimized before being sent to the hardware.

> Our current term 4 is an accept rule, is there a way to renumber that 
> and insert the other rule ahead of it?
> 
> Right now it reads:
> 
> term 4 {
>    from {
>       destination-address {
>         1.2.4.0/22;
>         1.2.8.0/22;    (our netblocks are listed here)
>         2.2.4.0/22;
>       }
>    }
>    then accept;
> }

enter config mode firewall xyz and do a "insert term 4 before term 2" -
remember the terms are names and not numbers and are executed according to the
config order. (e.g. if you enter a term number "0" it will get appended to the
end of the list)

> I'm guessing I need to renumber that rule somehow and insert my new rule 
> ahead of that.

what you may also be interested in is a way to dynamically
propagate your filtering rules into your network rather than re-configuring
your filter-lists on all your border routers.

http://www.juniper.net/techpubs/software/junos/junos81/swconfig81-routing/html/routing-tables-config52.html#1068977

HTH,

/hannes


More information about the juniper-nsp mailing list