[j-nsp] preventing DoS attacks
Stefan Fouant
sfouant at gmail.com
Fri Feb 13 22:25:02 EST 2009
On Fri, Feb 13, 2009 at 8:49 PM, Marlon Duksa <mduksa at gmail.com> wrote:
> Hi - does anyone know if it is possible on Junos to install a policers on
> logical interfaces to prevent DoS attacks so that control plane as a whole
> is identified in a filter rule?
> Right now I see a default ARP policer is installed on every interface.
> I want to customize this so that all traffic is policed (on 100s of my
> logical interfaces). How do you identify control plane in such filter? I
> have a bunch of loopback addresses in my box and do not want to specify each
> IP address in my filter.
If you want to filter control plane traffic destined for the RE (as
opposed to transit traffic) the easiest way to accomplish this would
to apply a firewall-filter on the lo0.0 interface. Of course you can
always protect it by applying the filter on the requisite incoming
interfaces, but if you have a large number of interfaces you are faced
with the dilemma as you suggest. Other options would be to use
apply-groups and apply those filters to a large number of interfaces
using wildcard matching.
The Secure JUNOS template made available from the lovely folks at Team
Cymru has lot's of good information on applying firewall-filters and
protecting the control plane of your routers -
http://www.cymru.com/gillsr/documents/junos-template.pdf.
--
Stefan Fouant
Yesterday it worked.
Today it is not working.
Windows is like that.
More information about the juniper-nsp
mailing list