[j-nsp] mitigating dos attack on Juniper M10i
kwarteng
kwarteng at myzipnet.com
Tue Apr 5 17:32:05 EDT 2011
Hello all,
I have set up a Net flow analyzer to be able to identify the IP being
attacked or the attacking IP.
I however don't seem to have it populated. Even the file on juniper box
doesn't show anything
What am I doing wrong please?
===
run show log /var/tmp/ddos-debug.log
# Apr 5 16:57:04
# Time Dest Src Dest Src Proto TOS
Pkt Intf IP TCP
# addr addr port port
len num frag flags
===
CONFIG
===
show forwarding-options
sampling {
input {
rate 100;
}
output { ## Warning: 'output' is deprecated
file filename ddos-debug.log;
flow-server a.b.c.d {
port 9996;
}
}
}
show firewall filter all
term all {
then {
sample;
accept;
}
}
show interfaces so-0/1/0
keepalives interval 10;
clocking external;
encapsulation cisco-hdlc;
framing {
sdh;
}
sonet-options {
fcs 32;
}
unit 0 {
family inet {
accounting {
source-class-usage {
input;
output;
}
destination-class-usage;
}
rpf-check;
filter {
input-list [ SAMPLER BLOCK-FROM-INTERNET all ];
output all;
}
sampling {
input;
}
address e.f.g.h/30;
}
}
-----Original Message-----
From: OBrien, Will [mailto:ObrienH at missouri.edu]
Sent: Tuesday, April 05, 2011 2:24 PM
To: kwarteng
Cc: Jonas Frey (Probe Networks); juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] mitigating dos attack on Juniper M10i
It depends on just how bad the attack is.
If you can't identify the major sources with something like netflow/cflow,
you might be able to identify the target. I suggest popping the policer on
your customers one by one and take note of who's inbound traffic spikes the
most.
Alternatively, if it's saturating your link, you could temporarily stop
advertising routes on a per customer basis and look for a significant drop
in inbound traffic. (This assumes that they have significantly different
netblocks)
Unfortunately, a well planned ddos attack can often target multiple end
users, making it more difficult to nail down.
On Apr 5, 2011, at 9:07 AM, kwarteng wrote:
> Hello,
>
> The issue is the incoming traffic on my interface has all of a sudden
increased by about 100M.
>
> Input rate : 117310032 bps (11356 pps)
> Output rate : 2590056 bps (1863 pps)
>
> I cannot source this huge traffic from anywhere on my network.
> I can't figure out my customers IPs which originate this traffic because
the traffic gets cut off on my policy enforcer.
> My Transit provider says I can implement this community 64999:0 on my
prefixes to help mitigate this DOS.
>
> I do not want the traffic to enter my interface at all but dropped at my
Transit providers end.
>
> So far I have not been able to figure out which IP in my network is being
attacked. I tried the accounting, but the show commands to go through.
>
> I just want to stop this DOS attack so that my uplink can be used by my
customers.
>
> Any help please
>
> Emmanuel
>
>
>
> -----Original Message-----
> From: Jonas Frey (Probe Networks) [mailto:jf at probe-networks.de]
> Sent: Tuesday, April 05, 2011 1:36 PM
> To: kwarteng
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] mitigating dos attack on Juniper M10i
>
> Hello,
>
> the question is: What do you want to do?
>
> a) Filter the attacked IP (your IP) by your ISP in terms of blackhole
community. Does your ISP offer this?
> If they do you need to announce them this single IP address (/32) with
their community set.
>
> b) You can filter the attack on the interfaces its coming in but the
traffic will still enter your interface and you might get charged for it.
>
> c) You can just route the IP beeing attacked to discard which is usefull
if you have multiple interfaces where the attack is incoming.
>
> Regards,
> Jonas Frey
>
>
> Am Dienstag, den 05.04.2011, 13:00 +0000 schrieb kwarteng:
>> Hello all,
>>
>> I am having a dos attack from one of my Transit providers.
>> I already have a bogon filter on the router.
>> I have also tried a blackhole with a bgp community.
>> The attack still seem to be on.
>>
>> My config below:
>>
>>
>> protocols {
>> bgp {
>> group xxxx {
>> type external;
>> remove-private;
>> peer-as xxx;
>> neighbor a.b.c.d {
>> description "eBGP with xxx";
>> import block_dos_attack;
>> export [ prefixes_out block_dos_attack ];
>> }
>> }
>>
>>
>> policy-statement block_dos_attack {
>> term dos_community {
>> from community dos_origin;
>> then {
>> community set dos_origin;
>> accept;
>> }
>> }
>> term default {
>> then accept;
>> }
>> }
>>
>>
>>
>> community dos_origin members 64999:0; }
>>
>>
>> ===========
>> ===========
>>
>> firewall {
>> filter BLOCK-FROM-INTERNET {
>> term block-bogon-prefix {
>> from {
>> source-address {
>> 0.0.0.0/8;
>> 10.0.0.0/8;
>> 127.0.0.0/8;
>> 169.254.0.0/16;
>> 128.0.0.0/24;
>> 172.16.0.0/12;
>> 191.255.0.0/16;
>> 192.0.0.0/24;
>> 192.0.2.0/24;
>> 192.168.0.0/16;
>> 223.255.255.0/24;
>> 224.0.0.0/4;
>> 240.0.0.0/5;
>> 248.0.0.0/5;
>> 255.255.255.255/32;
>> }
>> }
>> then {
>> count bogon-prefix;
>> log;
>> discard;
>> }
>> }
>> term block-anti-spoofing {
>> from {
>> source-address {
>> a.b.0.0/19;
>> }
>> }
>> then {
>> log;
>> discard;
>> }
>> }
>> term block-spam-to-mail {
>> from {
>> source-address {
>> 96.230.130.132/32;
>> 83.243.37.42/32;
>> 70.154.241.84/32;
>> 194.9.124.125/32;
>> 82.128.87.27/32;
>> 41.26.120.244/32;
>> 64.184.250.236/32;
>> 75.127.159.98/32;
>> }
>> destination-address {
>> a.b.0.d/32;
>> }
>> }
>> then {
>> count block-spam;
>> log;
>> syslog;
>> discard;
>> }
>> }
>> term DEFAULT {
>> then accept;
>> }
>> }
>>
>>
>>
>> Any help please
>>
>> Emmanuel
>>
>>
>>
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
Will O'Brien
University of Missouri, DoIT DNPS
Network Systems Analyst - Redacted
obrienh at missouri.edu
More information about the juniper-nsp
mailing list