[j-nsp] IPv4 Filter for ECN/CWR tcp bit (RFC3168)

Jonas Frey (Probe Networks) jf at probe-networks.de
Fri Nov 27 08:20:49 EST 2015


Hello,

i am trying to filter IPv4 traffic based on the tcp-options, in detail i
am looking to filter for traffic with options CWR and ECN set (RFC3168).

It seems this is not possible on current MX gear running 14.2.
From the docs juniper only lists 6 of the current 8 tcp-options
available to filter for:

http://www.juniper.net/documentation/en_US/junos14.2/topics/reference/general/firewall-filter-service-match-conditions.html

If specified a hex value including ECN or CWR options commit will fail
with a dfw bitfield error.

Does anybody have any idea if its possible to filter for such traffic?
It seems even with MS-MIC this is not possible.

I am asking since we are seeing new types of dDos attacks using SYN
traffic with ECN and CWR bit set (however with a non-zero ACK window).

Br,
Jonas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20151127/25b18209/attachment.sig>


More information about the juniper-nsp mailing list