[j-nsp] IPv4 Filter for ECN/CWR tcp bit (RFC3168)
Jonas Frey (Probe Networks)
jf at probe-networks.de
Fri Nov 27 08:20:49 EST 2015
Hello,
i am trying to filter IPv4 traffic based on the tcp-options, in detail i
am looking to filter for traffic with options CWR and ECN set (RFC3168).
It seems this is not possible on current MX gear running 14.2.
From the docs juniper only lists 6 of the current 8 tcp-options
available to filter for:
http://www.juniper.net/documentation/en_US/junos14.2/topics/reference/general/firewall-filter-service-match-conditions.html
If specified a hex value including ECN or CWR options commit will fail
with a dfw bitfield error.
Does anybody have any idea if its possible to filter for such traffic?
It seems even with MS-MIC this is not possible.
I am asking since we are seeing new types of dDos attacks using SYN
traffic with ECN and CWR bit set (however with a non-zero ACK window).
Br,
Jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20151127/25b18209/attachment.sig>
More information about the juniper-nsp
mailing list