[j-nsp] mitigating dos attack on Juniper M10i
Giuliano Medalha
giuliano at wztech.com.br
Tue Apr 5 11:53:16 EDT 2011
You can create a RE filter to protect the control plane (apply it input in
lo0):
filter protect-RE {
term bgp {
from {
protocol tcp;
port bgp;
}
then {
policer bgp-policer;
count bgp;
accept;
}
}
term snmp {
from {
source-prefix-list {
snmp-addresses;
}
protocol udp;
destination-port snmp;
}
then {
policer snmp-policer;
count snmp-count;
accept;
}
}
term ntp {
from {
source-prefix-list {
ntp-addresses;
}
protocol udp;
port ntp;
}
then {
policer ntp-policer;
count ntp;
accept;
}
}
term dns {
from {
source-prefix-list {
dns-addresses;
}
protocol udp;
source-port domain;
}
then {
policer dns-policer;
count dns;
accept;
}
}
term traceroute {
from {
protocol udp;
destination-port 33434-33534;
}
then {
count traceroute-traffic;
accept;
}
}
term icmp {
from {
protocol icmp;
icmp-type [ echo-request echo-reply unreachable
time-exceeded ];
}
then {
policer small-bw-policer;
count icmp-traffic;
accept;
}
}
term discard-everything-else {
then {
count deny-everything-else;
log;
discard;
}
}
}
policer
dns-policer {
if-exceeding {
bandwidth-limit 500k;
burst-size-limit 15k;
}
then discard;
}
policer ntp-policer {
if-exceeding {
bandwidth-limit 250k;
burst-size-limit 15k;
}
then discard;
}
policer snmp-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 15k;
}
then discard;
}
policer bgp-policer {
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 2m;
}
then discard;
}
After that you can use black hole rules with communities to mitigate the attack.
More information about the juniper-nsp
mailing list