[j-nsp] mitigating dos attack on Juniper M10i
Jonas Frey (Probe Networks)
jf at probe-networks.de
Tue Apr 5 09:36:11 EDT 2011
Hello,
the question is: What do you want to do?
a) Filter the attacked IP (your IP) by your ISP in terms of blackhole
community. Does your ISP offer this?
If they do you need to announce them this single IP address (/32) with
their community set.
b) You can filter the attack on the interfaces its coming in but the
traffic will still enter your interface and you might get charged for
it.
c) You can just route the IP beeing attacked to discard which is usefull
if you have multiple interfaces where the attack is incoming.
Regards,
Jonas Frey
Am Dienstag, den 05.04.2011, 13:00 +0000 schrieb kwarteng:
> Hello all,
>
> I am having a dos attack from one of my Transit providers.
> I already have a bogon filter on the router.
> I have also tried a blackhole with a bgp community.
> The attack still seem to be on.
>
> My config below:
>
>
> protocols {
> bgp {
> group xxxx {
> type external;
> remove-private;
> peer-as xxx;
> neighbor a.b.c.d {
> description "eBGP with xxx";
> import block_dos_attack;
> export [ prefixes_out block_dos_attack ];
> }
> }
>
>
> policy-statement block_dos_attack {
> term dos_community {
> from community dos_origin;
> then {
> community set dos_origin;
> accept;
> }
> }
> term default {
> then accept;
> }
> }
>
>
>
> community dos_origin members 64999:0;
> }
>
>
> ===========
> ===========
>
> firewall {
> filter BLOCK-FROM-INTERNET {
> term block-bogon-prefix {
> from {
> source-address {
> 0.0.0.0/8;
> 10.0.0.0/8;
> 127.0.0.0/8;
> 169.254.0.0/16;
> 128.0.0.0/24;
> 172.16.0.0/12;
> 191.255.0.0/16;
> 192.0.0.0/24;
> 192.0.2.0/24;
> 192.168.0.0/16;
> 223.255.255.0/24;
> 224.0.0.0/4;
> 240.0.0.0/5;
> 248.0.0.0/5;
> 255.255.255.255/32;
> }
> }
> then {
> count bogon-prefix;
> log;
> discard;
> }
> }
> term block-anti-spoofing {
> from {
> source-address {
> a.b.0.0/19;
> }
> }
> then {
> log;
> discard;
> }
> }
> term block-spam-to-mail {
> from {
> source-address {
> 96.230.130.132/32;
> 83.243.37.42/32;
> 70.154.241.84/32;
> 194.9.124.125/32;
> 82.128.87.27/32;
> 41.26.120.244/32;
> 64.184.250.236/32;
> 75.127.159.98/32;
> }
> destination-address {
> a.b.0.d/32;
> }
> }
> then {
> count block-spam;
> log;
> syslog;
> discard;
> }
> }
> term DEFAULT {
> then accept;
> }
> }
>
>
>
> Any help please
>
> Emmanuel
>
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20110405/ff61210f/attachment.pgp>
More information about the juniper-nsp
mailing list