[j-nsp] mitigating dos attack on Juniper M10i
Jonas Frey (Probe Networks)
jf at probe-networks.de
Tue Apr 5 22:24:22 EDT 2011
You dont really need netflow to find the host attacking if its a simple
attack.
Do this:
jonas at ffm3-edge# show firewall filter attack
term attack {
then {
log;
accept;
}
}
and then apply to your interface:
unit 0 {
family inet {
filter {
input attack;
}
then you can view the current flows by using:
run show firewall log
If you have other filters, make sure sure you do not have a "accept" all
with them otherwise the attack filter will never see any packets.
Regards,
Jonas
Am Dienstag, den 05.04.2011, 21:32 +0000 schrieb kwarteng:
> Hello all,
>
> I have set up a Net flow analyzer to be able to identify the IP being
> attacked or the attacking IP.
> I however don't seem to have it populated. Even the file on juniper box
> doesn't show anything
> What am I doing wrong please?
>
>
> ===
> run show log /var/tmp/ddos-debug.log
> # Apr 5 16:57:04
> # Time Dest Src Dest Src Proto TOS
> Pkt Intf IP TCP
> # addr addr port port
> len num frag flags
>
> ===
>
> CONFIG
> ===
>
> show forwarding-options
> sampling {
> input {
> rate 100;
> }
> output { ## Warning: 'output' is deprecated
> file filename ddos-debug.log;
> flow-server a.b.c.d {
> port 9996;
> }
> }
> }
>
>
> show firewall filter all
> term all {
> then {
> sample;
> accept;
> }
> }
>
>
>
> show interfaces so-0/1/0
> keepalives interval 10;
> clocking external;
> encapsulation cisco-hdlc;
> framing {
> sdh;
> }
> sonet-options {
> fcs 32;
> }
> unit 0 {
> family inet {
> accounting {
> source-class-usage {
> input;
> output;
> }
> destination-class-usage;
> }
> rpf-check;
> filter {
> input-list [ SAMPLER BLOCK-FROM-INTERNET all ];
> output all;
> }
> sampling {
> input;
> }
> address e.f.g.h/30;
> }
> }
>
>
>
>
>
> -----Original Message-----
> From: OBrien, Will [mailto:ObrienH at missouri.edu]
> Sent: Tuesday, April 05, 2011 2:24 PM
> To: kwarteng
> Cc: Jonas Frey (Probe Networks); juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] mitigating dos attack on Juniper M10i
>
> It depends on just how bad the attack is.
> If you can't identify the major sources with something like netflow/cflow,
> you might be able to identify the target. I suggest popping the policer on
> your customers one by one and take note of who's inbound traffic spikes the
> most.
>
> Alternatively, if it's saturating your link, you could temporarily stop
> advertising routes on a per customer basis and look for a significant drop
> in inbound traffic. (This assumes that they have significantly different
> netblocks)
>
> Unfortunately, a well planned ddos attack can often target multiple end
> users, making it more difficult to nail down.
> On Apr 5, 2011, at 9:07 AM, kwarteng wrote:
>
> > Hello,
> >
> > The issue is the incoming traffic on my interface has all of a sudden
> increased by about 100M.
> >
> > Input rate : 117310032 bps (11356 pps)
> > Output rate : 2590056 bps (1863 pps)
> >
> > I cannot source this huge traffic from anywhere on my network.
> > I can't figure out my customers IPs which originate this traffic because
> the traffic gets cut off on my policy enforcer.
> > My Transit provider says I can implement this community 64999:0 on my
> prefixes to help mitigate this DOS.
> >
> > I do not want the traffic to enter my interface at all but dropped at my
> Transit providers end.
> >
> > So far I have not been able to figure out which IP in my network is being
> attacked. I tried the accounting, but the show commands to go through.
> >
> > I just want to stop this DOS attack so that my uplink can be used by my
> customers.
> >
> > Any help please
> >
> > Emmanuel
> >
> >
> >
> > -----Original Message-----
> > From: Jonas Frey (Probe Networks) [mailto:jf at probe-networks.de]
> > Sent: Tuesday, April 05, 2011 1:36 PM
> > To: kwarteng
> > Cc: juniper-nsp at puck.nether.net
> > Subject: Re: [j-nsp] mitigating dos attack on Juniper M10i
> >
> > Hello,
> >
> > the question is: What do you want to do?
> >
> > a) Filter the attacked IP (your IP) by your ISP in terms of blackhole
> community. Does your ISP offer this?
> > If they do you need to announce them this single IP address (/32) with
> their community set.
> >
> > b) You can filter the attack on the interfaces its coming in but the
> traffic will still enter your interface and you might get charged for it.
> >
> > c) You can just route the IP beeing attacked to discard which is usefull
> if you have multiple interfaces where the attack is incoming.
> >
> > Regards,
> > Jonas Frey
> >
> >
> > Am Dienstag, den 05.04.2011, 13:00 +0000 schrieb kwarteng:
> >> Hello all,
> >>
> >> I am having a dos attack from one of my Transit providers.
> >> I already have a bogon filter on the router.
> >> I have also tried a blackhole with a bgp community.
> >> The attack still seem to be on.
> >>
> >> My config below:
> >>
> >>
> >> protocols {
> >> bgp {
> >> group xxxx {
> >> type external;
> >> remove-private;
> >> peer-as xxx;
> >> neighbor a.b.c.d {
> >> description "eBGP with xxx";
> >> import block_dos_attack;
> >> export [ prefixes_out block_dos_attack ];
> >> }
> >> }
> >>
> >>
> >> policy-statement block_dos_attack {
> >> term dos_community {
> >> from community dos_origin;
> >> then {
> >> community set dos_origin;
> >> accept;
> >> }
> >> }
> >> term default {
> >> then accept;
> >> }
> >> }
> >>
> >>
> >>
> >> community dos_origin members 64999:0; }
> >>
> >>
> >> ===========
> >> ===========
> >>
> >> firewall {
> >> filter BLOCK-FROM-INTERNET {
> >> term block-bogon-prefix {
> >> from {
> >> source-address {
> >> 0.0.0.0/8;
> >> 10.0.0.0/8;
> >> 127.0.0.0/8;
> >> 169.254.0.0/16;
> >> 128.0.0.0/24;
> >> 172.16.0.0/12;
> >> 191.255.0.0/16;
> >> 192.0.0.0/24;
> >> 192.0.2.0/24;
> >> 192.168.0.0/16;
> >> 223.255.255.0/24;
> >> 224.0.0.0/4;
> >> 240.0.0.0/5;
> >> 248.0.0.0/5;
> >> 255.255.255.255/32;
> >> }
> >> }
> >> then {
> >> count bogon-prefix;
> >> log;
> >> discard;
> >> }
> >> }
> >> term block-anti-spoofing {
> >> from {
> >> source-address {
> >> a.b.0.0/19;
> >> }
> >> }
> >> then {
> >> log;
> >> discard;
> >> }
> >> }
> >> term block-spam-to-mail {
> >> from {
> >> source-address {
> >> 96.230.130.132/32;
> >> 83.243.37.42/32;
> >> 70.154.241.84/32;
> >> 194.9.124.125/32;
> >> 82.128.87.27/32;
> >> 41.26.120.244/32;
> >> 64.184.250.236/32;
> >> 75.127.159.98/32;
> >> }
> >> destination-address {
> >> a.b.0.d/32;
> >> }
> >> }
> >> then {
> >> count block-spam;
> >> log;
> >> syslog;
> >> discard;
> >> }
> >> }
> >> term DEFAULT {
> >> then accept;
> >> }
> >> }
> >>
> >>
> >>
> >> Any help please
> >>
> >> Emmanuel
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> >
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> Will O'Brien
> University of Missouri, DoIT DNPS
> Network Systems Analyst - Redacted
>
> obrienh at missouri.edu
>
>
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20110406/884d88a9/attachment.pgp>
More information about the juniper-nsp
mailing list