[j-nsp] best practice for DOS mitigation with M7i's at border
Chris Davies
isp at daviesinc.com
Thu Nov 30 13:28:01 EST 2006
We're a small webhost experiencing a botnet attack from 1200 IPs
reaching roughly 370mb/sec inbound. What is the best way to mitigate
that attack while still maintaining a reasonable uptime for the client?
Obviously we want to mitigate this at the border, but, short of entering
in 1200 IPs in a special filter, what have others done?
All of the requests are coming from valid IPs, and are HTTP requests,
so, our anti-spoofing filters (i.e. IANA reserved blocks, etc) aren't
even being touched.
I thought about a policer at 80% of the pipe size for the client -- they
normally use 2% of their connection, but, that will also drop legitimate
traffic as well.
This is the first time we've fought this since migrating to Juniper from
Cisco, so, we're of course running into a few translation issues from
our old procedures and also, would prefer to do things the juniper way
rather than translating cisco methodology to juniper.
My current approach is:
prefix-list dos-machinename {
1.2.3.4/32
2.3.4.5/24
1.2.3.5/32
}
firewall {
filter inbound-internet {
term 4
from {
dos-machinename
}
then discard;
}
}
Can I put multiple rules in the from section, i.e. when we have another
attack to be mitigated, i.e. persistent scanners, etc.
Can I do something like:
term 4
from {
dos-machinename;
scanners;
}
then discard;
or will that do an 'and' on the conditions?
What I'd like to do is have one rule that reads 2 different prefix lists
so that we can discard traffic coming in from particular IPs that are
involved in a botnet attack, discard the occasional persistent scanner
that hammers away incessantly, and a separate policy-list that will
allow us to blackhole IPs on our network until we can figure out what
needs to be done to mitigate the attack. I believe I have to have our
own IPs listed on a separate rule since that is a destination-address
rule rather than a prefix-list rule.
Also, our inbound filters currently are not in what looks to be the
'best' order, do I need to delete and reenter the rules in the order
that they should be handled?
Our current term 4 is an accept rule, is there a way to renumber that
and insert the other rule ahead of it?
Right now it reads:
term 4 {
from {
destination-address {
1.2.4.0/22;
1.2.8.0/22; (our netblocks are listed here)
2.2.4.0/22;
}
}
then accept;
}
I'm guessing I need to renumber that rule somehow and insert my new rule
ahead of that.
Thanks in advance for any guidance.
More information about the juniper-nsp
mailing list