[j-nsp] mitigating dos attack on Juniper M10i

kwarteng kwarteng at myzipnet.com
Tue Apr 5 09:00:47 EDT 2011


Hello all,

I am having a dos attack from one of my Transit providers.
I already have a bogon filter on the router.
I have also tried a blackhole with a bgp community.
The attack still seem to be on.

My config below:


protocols {
    bgp {
        group xxxx {
            type external;
            remove-private;
            peer-as xxx;
            neighbor a.b.c.d {
                description "eBGP with xxx";
                import block_dos_attack;
                export [ prefixes_out block_dos_attack ];
            }
        }


policy-statement block_dos_attack {
        term dos_community {
            from community dos_origin;
            then {
                community set dos_origin;
                accept;
            }
        }
        term default {
            then accept;
        }
    }



    community dos_origin members 64999:0;
}


===========
===========

firewall {
    filter BLOCK-FROM-INTERNET {
        term block-bogon-prefix {
            from {
                source-address {
                    0.0.0.0/8;
                    10.0.0.0/8;
                    127.0.0.0/8;
                    169.254.0.0/16;
                    128.0.0.0/24;
                    172.16.0.0/12;
                    191.255.0.0/16;
                    192.0.0.0/24;
                    192.0.2.0/24;
                    192.168.0.0/16;
                    223.255.255.0/24;
                    224.0.0.0/4;
                    240.0.0.0/5;
                    248.0.0.0/5;
                    255.255.255.255/32;
                }
            }
            then {
                count bogon-prefix;
                log;
                discard;
            }
        }
        term block-anti-spoofing {
            from {
                source-address {
                    a.b.0.0/19;
                }
            }
            then {
                log;
                discard;
            }
        }
        term block-spam-to-mail {
            from {
                source-address {
                    96.230.130.132/32;
                    83.243.37.42/32;
                    70.154.241.84/32;
                    194.9.124.125/32;
                    82.128.87.27/32;
                    41.26.120.244/32;
                    64.184.250.236/32;
                    75.127.159.98/32;
                }
                destination-address {
                    a.b.0.d/32;
                }
            }
            then {
                count block-spam;
                log;
                syslog;
                discard;
            }
        }
        term DEFAULT {
            then accept;
        }
    }



Any help please

Emmanuel






More information about the juniper-nsp mailing list