[j-nsp] mitigating dos attack on Juniper M10i
Stefan Fouant
sfouant at shortestpathfirst.net
Tue Apr 5 12:47:43 EDT 2011
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Stefan Fouant
> Sent: Tuesday, April 05, 2011 11:33 AM
> To: 'kwarteng'; 'Jonas Frey (Probe Networks)'
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] mitigating dos attack on Juniper M10i
>
> Without flow visibility, one way to accomplish this and determine the
> IP
> under attack is to use something called Prefix-Specific Counters.
> Something
> along the following lines should help you to narrow it down. Insert
> term 1
> into the appropriate location
>
> [edit firewall]
> bogus at m120-1# show
> family inet {
> prefix-action find-attacker {
> count;
> destination-prefix-length 32;
> }
> }
> filter incoming-policy {
> term 1 {
> then {
> next term;
> prefix-action find-attacker;
> }
> }
> }
>
Sorry, the term should have looked like this (replace 192.168.1.0/24 with
the affected destination subnet:
filter incoming-policy {
term 1 {
from {
destination-address 192.168.1.0/24;
}
then {
next term;
prefix-action find-attacker;
}
}
}
The resultant prefix-specific counter will give you a host counter for every
/32 host within the 192.168.1.0/24 netblock, allowing you to see which host
is under attack.
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB4C956EC
More information about the juniper-nsp
mailing list