[j-nsp] SRX policy action to inject a route in a table??

Crist Clark Crist.Clark at globalstar.com
Thu Mar 17 18:21:47 EDT 2011

>>> On 3/17/2011 at  3:04 PM, Clarke Morledge <chmorl at wm.edu> wrote:
> The SRX policy actions (count, deny, log, permit, reject) are helpful, but 
> a little limited.  I am wondering if there might be a way to enforce a 
> special action such as take the ip address of the source packet and inject 
> it into a routing table of some sort.
> What I have in mind is some way to use the SRX to grab the IPs of 
> misbehaving hosts and put the address in a RIB.  Then I can use routing 
> policy to put the route into a BGP feed to a border router that would null 
> route traffic to and from that IP address using tricks with Unicast 
> Reverse Path Forwarding.
> This would be like using the SRX has a simple honeypot to then enforce a 
> host address block at the network perimeter.  Of course, there are all 
> sorts of dangers and challenges involved, such as making sure you don't 
> end up DOS'ing the SRX yourself, etc.  But I still wish there was a clean 
> way to proactively do this.
> My other option is to just log the packet to somewhere else, parse the 
> log, then grab the IP of the offender and populate my BGP feed that way. 
> But this could get complicated, too.
> It could be a handy feature to do all of this task  on the SRX.
> Anybody have any ideas on this?

Event script.

SLAX scripts are a bit hard to wrap your head around at first, but
this Day One document is a pretty good primer,


You may want to hit up,


And see if something even close already exists there.

BTW, anyone else know of good sources of JUNOS script examples?

Crist Clark
Network Security Specialist, Information Systems
408 933 4387

More information about the juniper-nsp mailing list