[j-nsp] best practice for DOS mitigation with M7i's at border

Chris Davies isp at daviesinc.com
Thu Nov 30 13:28:01 EST 2006 

We're a small webhost experiencing a botnet attack from 1200 IPs 
reaching roughly 370mb/sec inbound.  What is the best way to mitigate 
that attack while still maintaining a reasonable uptime for the client?

Obviously we want to mitigate this at the border, but, short of entering 
in 1200 IPs in a special filter, what have others done?

All of the requests are coming from valid IPs, and are HTTP requests, 
so, our anti-spoofing filters (i.e. IANA reserved blocks, etc) aren't 
even being touched.

I thought about a policer at 80% of the pipe size for the client -- they 
normally use 2% of their connection, but, that will also drop legitimate 
  traffic as well.

This is the first time we've fought this since migrating to Juniper from 
Cisco, so, we're of course running into a few translation issues from 
our old procedures and also, would prefer to do things the juniper way 
rather than translating cisco methodology to juniper.

My current approach is:

prefix-list dos-machinename {
  1.2.3.4/32
  2.3.4.5/24
  1.2.3.5/32
}

firewall {
   filter inbound-internet {
     term 4
       from {
         dos-machinename
       }
       then discard;
   }
}

Can I put multiple rules in the from section, i.e. when we have another 
attack to be mitigated, i.e. persistent scanners, etc.

Can I do something like:

     term 4
       from {
         dos-machinename;
         scanners;
       }
       then discard;

or will that do an 'and' on the conditions?

What I'd like to do is have one rule that reads 2 different prefix lists 
so that we can discard traffic coming in from particular IPs that are 
involved in a botnet attack, discard the occasional persistent scanner 
that hammers away incessantly, and a separate policy-list that will 
allow us to blackhole IPs on our network until we can figure out what 
needs to be done to mitigate the attack.  I believe I have to have our 
own IPs listed on a separate rule since that is a destination-address 
rule rather than a prefix-list rule.

Also, our inbound filters currently are not in what looks to be the 
'best' order, do I need to delete and reenter the rules in the order 
that they should be handled?

Our current term 4 is an accept rule, is there a way to renumber that 
and insert the other rule ahead of it?

Right now it reads:

term 4 {
   from {
      destination-address {
        1.2.4.0/22;
        1.2.8.0/22;    (our netblocks are listed here)
        2.2.4.0/22;
      }
   }
   then accept;
}

I'm guessing I need to renumber that rule somehow and insert my new rule 
ahead of that.

Thanks in advance for any guidance.

More information about the juniper-nsp mailing list