[j-nsp] preventing DoS attacks
Marlon Duksa
mduksa at gmail.com
Fri Feb 13 20:49:55 EST 2009
Hi - does anyone know if it is possible on Junos to install a policers on
logical interfaces to prevent DoS attacks so that control plane as a whole
is identified in a filter rule?
Right now I see a default ARP policer is installed on every interface.
I want to customize this so that all traffic is policed (on 100s of my
logical interfaces). How do you identify control plane in such filter? I
have a bunch of loopback addresses in my box and do not want to specify each
IP address in my filter.
I'm looking for a keyword like "host-inbound-traffic" or something similar.
For example in CoS you can do this, you can classify all outbound control
traffic with a very few statements:
host-outbound-traffic {
forwarding-class network-control;
dscp-code-point af41;
}
I'm not interested in other implications of such approach at this point (for
example 'limiting BGP update rates is not good idea" and such), I don't
worry about BGP or other routing updates at this time. All I need to do is
prevent DoS on certain interfaces.
Thanks,
Marlon
More information about the juniper-nsp
mailing list