[j-nsp] mitigating dos attack on Juniper M10i
Justin M. Streiner
streiner at cluebyfour.org
Tue Apr 5 11:18:55 EDT 2011
On Tue, 5 Apr 2011, imutsu at gmail.com wrote:
> You should set the firewall filter on interface to your transit to
> dropped the packet.
Firewall filters are fine as another line of defense, but if the attack is
inbound, particularly if it's intended to be a 'pipe filler', most of the
effect of the attack has already been done by the time the traffic reaches
your filters.
jms
> -----Original Message-----
> From: "kwarteng" <kwarteng at myzipnet.com>
> Sender: juniper-nsp-bounces at puck.nether.net
> Date: Tue, 5 Apr 2011 13:00:47
> To: <juniper-nsp at puck.nether.net>
> Subject: [j-nsp] mitigating dos attack on Juniper M10i
>
>
> Hello all,
>
> I am having a dos attack from one of my Transit providers.
> I already have a bogon filter on the router.
> I have also tried a blackhole with a bgp community.
> The attack still seem to be on.
>
> My config below:
>
>
> protocols {
> bgp {
> group xxxx {
> type external;
> remove-private;
> peer-as xxx;
> neighbor a.b.c.d {
> description "eBGP with xxx";
> import block_dos_attack;
> export [ prefixes_out block_dos_attack ];
> }
> }
>
>
> policy-statement block_dos_attack {
> term dos_community {
> from community dos_origin;
> then {
> community set dos_origin;
> accept;
> }
> }
> term default {
> then accept;
> }
> }
>
>
>
> community dos_origin members 64999:0;
> }
>
>
> ===========
> ===========
>
> firewall {
> filter BLOCK-FROM-INTERNET {
> term block-bogon-prefix {
> from {
> source-address {
> 0.0.0.0/8;
> 10.0.0.0/8;
> 127.0.0.0/8;
> 169.254.0.0/16;
> 128.0.0.0/24;
> 172.16.0.0/12;
> 191.255.0.0/16;
> 192.0.0.0/24;
> 192.0.2.0/24;
> 192.168.0.0/16;
> 223.255.255.0/24;
> 224.0.0.0/4;
> 240.0.0.0/5;
> 248.0.0.0/5;
> 255.255.255.255/32;
> }
> }
> then {
> count bogon-prefix;
> log;
> discard;
> }
> }
> term block-anti-spoofing {
> from {
> source-address {
> a.b.0.0/19;
> }
> }
> then {
> log;
> discard;
> }
> }
> term block-spam-to-mail {
> from {
> source-address {
> 96.230.130.132/32;
> 83.243.37.42/32;
> 70.154.241.84/32;
> 194.9.124.125/32;
> 82.128.87.27/32;
> 41.26.120.244/32;
> 64.184.250.236/32;
> 75.127.159.98/32;
> }
> destination-address {
> a.b.0.d/32;
> }
> }
> then {
> count block-spam;
> log;
> syslog;
> discard;
> }
> }
> term DEFAULT {
> then accept;
> }
> }
>
>
>
> Any help please
>
> Emmanuel
>
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list