[j-nsp] mitigating dos attack on Juniper M10i

Tue Apr 5 12:18:21 EDT 2011

Juniper also supports cool things like this:

prefix-list BGP-Peers {
    apply-path "protocols bgp group <*> neighbor <*>";
}

You'll need to modify it if you have any routing instances with BGP peers.

Jensen Tyler
Network Engineer
Fiberutilities Group, LLC
(319) 364-3200 (office)
(319) 364-8100 (fax)
(319) 329-8578 (mobile)

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Giuliano Medalha
Sent: Tuesday, April 05, 2011 10:53 AM
To: Stefan Fouant
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] mitigating dos attack on Juniper M10i

You can create a RE filter to protect the control plane (apply it input in
lo0):

   filter protect-RE {

            term bgp {
                from {
                    protocol tcp;
                    port bgp;
                }
                then {
                    policer bgp-policer;
                    count bgp;
                    accept;
                }
            }

            term snmp {
                from {
                    source-prefix-list {
                        snmp-addresses;
                    }
                    protocol udp;
                    destination-port snmp;
                }
                then {
                    policer snmp-policer;
                    count snmp-count;
                    accept;
                }
            }

            term ntp {
                from {
                    source-prefix-list {
                        ntp-addresses;
                    }
                    protocol udp;
                    port ntp;
                }
                then {
                    policer ntp-policer;
                    count ntp;
                    accept;
                }
            }

            term dns {
                from {
                    source-prefix-list {
                        dns-addresses;
                    }
                    protocol udp;
                    source-port domain;
                }
                then {
                    policer dns-policer;
                    count dns;
                    accept;
                }
            }

            term traceroute {
                from {
                    protocol udp;
                    destination-port 33434-33534;
                }
                then {
                    count traceroute-traffic;
                    accept;
                }
            }

            term icmp {
                from {
                    protocol icmp;
                    icmp-type [ echo-request echo-reply unreachable
time-exceeded ];
                }
                then {
                    policer small-bw-policer;
                    count icmp-traffic;
                    accept;
                }
            }

            term discard-everything-else {
                then {
                    count deny-everything-else;
                    log;
                    discard;
                }
            }
        }

policer

     dns-policer {
        if-exceeding {
            bandwidth-limit 500k;
            burst-size-limit 15k;
        }
        then discard;
    }

    policer ntp-policer {
        if-exceeding {
            bandwidth-limit 250k;
            burst-size-limit 15k;
        }
        then discard;
    }

    policer snmp-policer {
        if-exceeding {
            bandwidth-limit 1m;
            burst-size-limit 15k;
        }
        then discard;
    }

    policer bgp-policer {
        if-exceeding {
            bandwidth-limit 10m;
            burst-size-limit 2m;
        }
        then discard;
    }

After that you can use black hole rules with communities to mitigate the attack.
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp