[j-nsp] mitigating dos attack on Juniper M10i

OBrien, Will ObrienH at missouri.edu
Tue Apr 5 10:23:49 EDT 2011 

It depends on just how bad the attack is.
If you can't identify the major sources with something like netflow/cflow, you might be able to identify the target. I suggest popping the policer on your customers one by one and take note of who's inbound traffic spikes the most.

Alternatively, if it's saturating your link, you could temporarily stop advertising routes on a per customer basis and look for a significant drop in inbound traffic. (This assumes that they have significantly different netblocks)

Unfortunately, a well planned ddos attack can often target multiple end users, making it more difficult to nail down. 
On Apr 5, 2011, at 9:07 AM, kwarteng wrote:

> Hello,
> 
> The issue is the incoming traffic on my interface has all of a sudden increased by about 100M.
> 
> Input rate     : 117310032 bps (11356 pps)
>  Output rate    : 2590056 bps (1863 pps)
> 
> I cannot source this huge traffic from anywhere on my network.
> I can't figure out my customers IPs which originate this traffic because the traffic gets cut off on my policy enforcer.
> My Transit provider says I can implement this community 64999:0 on my prefixes to help mitigate this DOS.
> 
> I do not want the traffic to enter my interface at all but dropped at my Transit providers end.
> 
> So far I have not been able to figure out which IP in my network is being attacked. I tried the accounting, but the show commands to go through.
> 
> I just want to stop this DOS attack so that my uplink can be used by my customers.
> 
> Any help please
> 
> Emmanuel
> 
> 
> 
> -----Original Message-----
> From: Jonas Frey (Probe Networks) [mailto:jf at probe-networks.de] 
> Sent: Tuesday, April 05, 2011 1:36 PM
> To: kwarteng
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] mitigating dos attack on Juniper M10i
> 
> Hello,
> 
> the question is: What do you want to do?
> 
> a) Filter the attacked IP (your IP) by your ISP in terms of blackhole community. Does your ISP offer this?
> If they do you need to announce them this single IP address (/32) with their community set.
> 
> b) You can filter the attack on the interfaces its coming in but the traffic will still enter your interface and you might get charged for it.
> 
> c) You can just route the IP beeing attacked to discard which is usefull if you have multiple interfaces where the attack is incoming.
> 
> Regards,
> Jonas Frey
> 
> 
> Am Dienstag, den 05.04.2011, 13:00 +0000 schrieb kwarteng:
>> Hello all,
>> 
>> I am having a dos attack from one of my Transit providers.
>> I already have a bogon filter on the router.
>> I have also tried a blackhole with a bgp community.
>> The attack still seem to be on.
>> 
>> My config below:
>> 
>> 
>> protocols {
>>    bgp {
>>        group xxxx {
>>            type external;
>>            remove-private;
>>            peer-as xxx;
>>            neighbor a.b.c.d {
>>                description "eBGP with xxx";
>>                import block_dos_attack;
>>                export [ prefixes_out block_dos_attack ];
>>            }
>>        }
>> 
>> 
>> policy-statement block_dos_attack {
>>        term dos_community {
>>            from community dos_origin;
>>            then {
>>                community set dos_origin;
>>                accept;
>>            }
>>        }
>>        term default {
>>            then accept;
>>        }
>>    }
>> 
>> 
>> 
>>    community dos_origin members 64999:0; }
>> 
>> 
>> ===========
>> ===========
>> 
>> firewall {
>>    filter BLOCK-FROM-INTERNET {
>>        term block-bogon-prefix {
>>            from {
>>                source-address {
>>                    0.0.0.0/8;
>>                    10.0.0.0/8;
>>                    127.0.0.0/8;
>>                    169.254.0.0/16;
>>                    128.0.0.0/24;
>>                    172.16.0.0/12;
>>                    191.255.0.0/16;
>>                    192.0.0.0/24;
>>                    192.0.2.0/24;
>>                    192.168.0.0/16;
>>                    223.255.255.0/24;
>>                    224.0.0.0/4;
>>                    240.0.0.0/5;
>>                    248.0.0.0/5;
>>                    255.255.255.255/32;
>>                }
>>            }
>>            then {
>>                count bogon-prefix;
>>                log;
>>                discard;
>>            }
>>        }
>>        term block-anti-spoofing {
>>            from {
>>                source-address {
>>                    a.b.0.0/19;
>>                }
>>            }
>>            then {
>>                log;
>>                discard;
>>            }
>>        }
>>        term block-spam-to-mail {
>>            from {
>>                source-address {
>>                    96.230.130.132/32;
>>                    83.243.37.42/32;
>>                    70.154.241.84/32;
>>                    194.9.124.125/32;
>>                    82.128.87.27/32;
>>                    41.26.120.244/32;
>>                    64.184.250.236/32;
>>                    75.127.159.98/32;
>>                }
>>                destination-address {
>>                    a.b.0.d/32;
>>                }
>>            }
>>            then {
>>                count block-spam;
>>                log;
>>                syslog;
>>                discard;
>>            }
>>        }
>>        term DEFAULT {
>>            then accept;
>>        }
>>    }
>> 
>> 
>> 
>> Any help please
>> 
>> Emmanuel
>> 
>> 
>> 
>> 
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

Will O'Brien
University of Missouri, DoIT DNPS
Network Systems Analyst - Redacted

obrienh at missouri.edu

More information about the juniper-nsp mailing list