[j-nsp] preventing DoS attacks
Marlon Duksa
mduksa at gmail.com
Mon Feb 16 12:52:33 EST 2009
It is more complicated than this. I have a bunch of subscribers (each sub on
a different VLAN) and I need to protect CPU per subscriber, per mac address
and such...also for protocols such as LACP, ANCP, DHCP...
One rule fits all is not the best approach here.
Thanks,
Marlon
On Fri, Feb 13, 2009 at 7:25 PM, Stefan Fouant <sfouant at gmail.com> wrote:
> On Fri, Feb 13, 2009 at 8:49 PM, Marlon Duksa <mduksa at gmail.com> wrote:
> > Hi - does anyone know if it is possible on Junos to install a policers on
> > logical interfaces to prevent DoS attacks so that control plane as a
> whole
> > is identified in a filter rule?
> > Right now I see a default ARP policer is installed on every interface.
> > I want to customize this so that all traffic is policed (on 100s of my
> > logical interfaces). How do you identify control plane in such filter? I
> > have a bunch of loopback addresses in my box and do not want to specify
> each
> > IP address in my filter.
>
> If you want to filter control plane traffic destined for the RE (as
> opposed to transit traffic) the easiest way to accomplish this would
> to apply a firewall-filter on the lo0.0 interface. Of course you can
> always protect it by applying the filter on the requisite incoming
> interfaces, but if you have a large number of interfaces you are faced
> with the dilemma as you suggest. Other options would be to use
> apply-groups and apply those filters to a large number of interfaces
> using wildcard matching.
>
> The Secure JUNOS template made available from the lovely folks at Team
> Cymru has lot's of good information on applying firewall-filters and
> protecting the control plane of your routers -
> http://www.cymru.com/gillsr/documents/junos-template.pdf.
>
> --
> Stefan Fouant
>
> Yesterday it worked.
> Today it is not working.
> Windows is like that.
>
More information about the juniper-nsp
mailing list