[j-nsp] mitigating dos attack on Juniper M10i

kwarteng kwarteng at myzipnet.com
Tue Apr 5 10:07:36 EDT 2011


Hello,

The issue is the incoming traffic on my interface has all of a sudden increased by about 100M.

Input rate     : 117310032 bps (11356 pps)
  Output rate    : 2590056 bps (1863 pps)

I cannot source this huge traffic from anywhere on my network.
I can't figure out my customers IPs which originate this traffic because the traffic gets cut off on my policy enforcer.
My Transit provider says I can implement this community 64999:0 on my prefixes to help mitigate this DOS.

I do not want the traffic to enter my interface at all but dropped at my Transit providers end.

So far I have not been able to figure out which IP in my network is being attacked. I tried the accounting, but the show commands to go through.

I just want to stop this DOS attack so that my uplink can be used by my customers.

Any help please

Emmanuel

 

-----Original Message-----
From: Jonas Frey (Probe Networks) [mailto:jf at probe-networks.de] 
Sent: Tuesday, April 05, 2011 1:36 PM
To: kwarteng
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] mitigating dos attack on Juniper M10i

Hello,

the question is: What do you want to do?

a) Filter the attacked IP (your IP) by your ISP in terms of blackhole community. Does your ISP offer this?
If they do you need to announce them this single IP address (/32) with their community set.

b) You can filter the attack on the interfaces its coming in but the traffic will still enter your interface and you might get charged for it.

c) You can just route the IP beeing attacked to discard which is usefull if you have multiple interfaces where the attack is incoming.

Regards,
Jonas Frey


Am Dienstag, den 05.04.2011, 13:00 +0000 schrieb kwarteng:
> Hello all,
> 
> I am having a dos attack from one of my Transit providers.
> I already have a bogon filter on the router.
> I have also tried a blackhole with a bgp community.
> The attack still seem to be on.
> 
> My config below:
> 
> 
> protocols {
>     bgp {
>         group xxxx {
>             type external;
>             remove-private;
>             peer-as xxx;
>             neighbor a.b.c.d {
>                 description "eBGP with xxx";
>                 import block_dos_attack;
>                 export [ prefixes_out block_dos_attack ];
>             }
>         }
> 
> 
> policy-statement block_dos_attack {
>         term dos_community {
>             from community dos_origin;
>             then {
>                 community set dos_origin;
>                 accept;
>             }
>         }
>         term default {
>             then accept;
>         }
>     }
> 
> 
> 
>     community dos_origin members 64999:0; }
> 
> 
> ===========
> ===========
> 
> firewall {
>     filter BLOCK-FROM-INTERNET {
>         term block-bogon-prefix {
>             from {
>                 source-address {
>                     0.0.0.0/8;
>                     10.0.0.0/8;
>                     127.0.0.0/8;
>                     169.254.0.0/16;
>                     128.0.0.0/24;
>                     172.16.0.0/12;
>                     191.255.0.0/16;
>                     192.0.0.0/24;
>                     192.0.2.0/24;
>                     192.168.0.0/16;
>                     223.255.255.0/24;
>                     224.0.0.0/4;
>                     240.0.0.0/5;
>                     248.0.0.0/5;
>                     255.255.255.255/32;
>                 }
>             }
>             then {
>                 count bogon-prefix;
>                 log;
>                 discard;
>             }
>         }
>         term block-anti-spoofing {
>             from {
>                 source-address {
>                     a.b.0.0/19;
>                 }
>             }
>             then {
>                 log;
>                 discard;
>             }
>         }
>         term block-spam-to-mail {
>             from {
>                 source-address {
>                     96.230.130.132/32;
>                     83.243.37.42/32;
>                     70.154.241.84/32;
>                     194.9.124.125/32;
>                     82.128.87.27/32;
>                     41.26.120.244/32;
>                     64.184.250.236/32;
>                     75.127.159.98/32;
>                 }
>                 destination-address {
>                     a.b.0.d/32;
>                 }
>             }
>             then {
>                 count block-spam;
>                 log;
>                 syslog;
>                 discard;
>             }
>         }
>         term DEFAULT {
>             then accept;
>         }
>     }
> 
> 
> 
> Any help please
> 
> Emmanuel
> 
> 
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp





More information about the juniper-nsp mailing list