[j-nsp] preventing DoS attacks

Amos Rosenboim amos at oasis-tech.net
Mon Feb 16 17:01:58 EST 2009


Marlon,

It wasn't explicitly stated below so just to clarify.
A firewall filter applied to the lo0.0 interface is applied to all  
control plane traffic handled by the RE no matter what the  
destination address on the router is (i.e it also applied to the ip  
address assigned to the interfaces facing your subscribers).

As far as I remember firewall-filters can also combine policers  
within them (not sure about this), so if I understand your  
requirement correctly, a firewall filter on lo0.0 will achieve your  
goal.

Cheers,

Amos

On Feb 16, 2009, at 7:52 PM, Marlon Duksa wrote:

> It is more complicated than this. I have a bunch of subscribers  
> (each sub on
> a different VLAN) and I need to protect CPU per subscriber, per mac  
> address
> and such...also for protocols such as LACP, ANCP, DHCP...
> One rule fits all is not the best approach here.
>
> Thanks,
> Marlon
> On Fri, Feb 13, 2009 at 7:25 PM, Stefan Fouant <sfouant at gmail.com>  
> wrote:
>
>> On Fri, Feb 13, 2009 at 8:49 PM, Marlon Duksa <mduksa at gmail.com>  
>> wrote:
>>> Hi - does anyone know if it is possible on Junos to install a  
>>> policers on
>>> logical interfaces to prevent  DoS attacks so that control plane  
>>> as a
>> whole
>>> is identified in a filter rule?
>>> Right now I see a default ARP policer is installed on every  
>>> interface.
>>> I want to customize this so that all traffic is policed (on 100s  
>>> of my
>>> logical interfaces). How do you identify control plane in such  
>>> filter? I
>>> have a bunch of loopback addresses in my box and do not want to  
>>> specify
>> each
>>> IP address in my filter.
>>
>> If you want to filter control plane traffic destined for the RE (as
>> opposed to transit traffic) the easiest way to accomplish this would
>> to apply a firewall-filter on the lo0.0 interface.  Of course you can
>> always protect it by applying the filter on the requisite incoming
>> interfaces, but if you have a large number of interfaces you are  
>> faced
>> with the dilemma as you suggest.  Other options would be to use
>> apply-groups and apply those filters to a large number of interfaces
>> using wildcard matching.
>>
>> The Secure JUNOS template made available from the lovely folks at  
>> Team
>> Cymru has lot's of good information on applying firewall-filters and
>> protecting the control plane of your routers -
>> http://www.cymru.com/gillsr/documents/junos-template.pdf.
>>
>> --
>> Stefan Fouant
>>
>> Yesterday it worked.
>> Today it is not working.
>> Windows is like that.
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list