[j-nsp] SRX: rate-limiting source NAT sources

Jonathan Lassoff jof at thejof.com
Mon Oct 29 17:55:10 EDT 2012


So, I'm working on tuning an SRX deployment and am wondering if
something is possible.

This deployment is doing a lot of source NAT for a wide variety of
endpoints as they egress out to the Internet. Pretty vanilla
configuration.
Specific sources are mapped via NAT rules to specific egress IPs (for
IP filtering in some places, outside of the SRXes in question).

And once in a while, some endpoint will have a legitimate need to open
up *many* connections (and then NAT states) that pass over this SRX
deployment.
Unfortunately, the rate of connection establishment relative to the
application timeouts means that these heavy users can use up all of
the ephemeral ports, blocking new flows from becoming established.

We've been playing a bit of whack-a-mole, assigning more IP space to
the various source NAT pools, but would like to find a more proper
solution.


So, my question is this: is there any mechanism anyone knows of to
rate-limit or block-past-a-threshold a "source NAT" source if it
starts making too many connections?
I don't see anything obvious in the SRX documentation, so I figured
I'd ask here for pointers.

Right now, it's way to easy for one bad actor (malicious or
benevolent) to max out a source NAT pool.

Cheers,
jof


More information about the juniper-nsp mailing list