[j-nsp] mitigating dos attack on Juniper M10i

Stefan Fouant sfouant at shortestpathfirst.net
Tue Apr 5 11:32:51 EDT 2011 

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of kwarteng
> Sent: Tuesday, April 05, 2011 10:08 AM
> To: 'Jonas Frey (Probe Networks)'
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] mitigating dos attack on Juniper M10i
> 
> Hello,
> 
> The issue is the incoming traffic on my interface has all of a sudden
> increased by about 100M.
> 
> Input rate     : 117310032 bps (11356 pps)
>   Output rate    : 2590056 bps (1863 pps)
> 
> I cannot source this huge traffic from anywhere on my network.
> I can't figure out my customers IPs which originate this traffic
> because the traffic gets cut off on my policy enforcer.
> My Transit provider says I can implement this community 64999:0 on my
> prefixes to help mitigate this DOS.
> 
> I do not want the traffic to enter my interface at all but dropped at
> my Transit providers end.
> 
> So far I have not been able to figure out which IP in my network is
> being attacked. I tried the accounting, but the show commands to go
> through.

This is key, if you can't figure out which IP in your network is being
attacked you are not going to be able to advertise the affected route to
your ISP.  If you don't know what IP is being attacked, you will need to
advertise a larger netblock which is probably not what you want to do
because you will end up blackholing traffic for a lot of different folks and
your other customers will be unhappy :)

Without flow visibility, one way to accomplish this and determine the IP
under attack is to use something called Prefix-Specific Counters.  Something
along the following lines should help you to narrow it down.  Insert term 1
into the appropriate location

[edit firewall]
bogus at m120-1# show 
family inet {
    prefix-action find-attacker {
        count;
        destination-prefix-length 32;
    }
}
filter incoming-policy {
    term 1 {
        then {
            next term;
            prefix-action find-attacker;
        }
    }
}

Then you could do a 'show firewall prefix-action-stats filter
incoming-policy prefix-action find-attacker' to isolate it to the host under
attack.

Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB4C956EC

More information about the juniper-nsp mailing list