[j-nsp] essential network rate limiting and ddos mitigation

Aaron Gould aaron1 at gvtc.com
Fri Jun 22 10:45:40 EDT 2018 

Hi Mike, I would like to hear from others about anything that might be built into Junos regarding intrusion or ddos types of traffic handling... (I do see ddos mentioned in cli shown below) since I too will soon have at least 2 and maybe 3, MX960 boundary routers between my ISP and the internet and will need to do this in Junos also...

...now, I can say that I accomplished something to which you are asking on my current internet boundary ASR9k's using home-grown, crafted ddos mitigation strategy...

It goes back a few years when we were getting slammed with volumetric-type ddos and it was filling up my lower speed internal distribution network links, and occasionally even filling up our internet links as well (more on that later)...

We did talk to vendors like Arbor and Radware and others, but they cost a lot depending on size and aren't exactly simple either....

What we did was, using netflow and other common knowledge and research, crafted a sort of defense-in-depth strategy...

...if it absolutely does not need to come through and has no legitimate uses, drop it.  Acl inbound, deny.

...it it has real uses, like ntp, dns, etc, but absolutely should not be coming in at rate of 2 gbps !!!, then put it into a policer bucket at a realistic level... we did this with cisco mqc type service-policy, policy-map, class-map, acls, etc.

...there are other attack vectors that we learned about via netflow that we crafter other udp port lists and applied to other policer buckets with manageable levels...

...if it's a sustained attack and filling up our internet uplinks or repeated to same victim, then we trigger rtbh which is a set of bgp /32's advertisements or communities that get advertised out to our (3) upstream providers and that stops the attack out in the cloud and no longer arrives at our "front doot" filling up or internet connections.  My rtbh trigger router is a cisco 2600 which has a 100 mbps connection, and I gave the NOC a job aid (script of cli commands) which are very simply a couple lines of commands that have the ip of the victim under attack and they paste that into the 2600 cli and like lightning fast, that advertisement is bgp advertised to my boundaries/cogent (since they do rtbh differently than my other 2) with needed communities applied and attack stops.

...I recall the way we learn about the victim ip under attack is via netflow alers using nfsen/nfdump alerts sent to cell phones and noc email

btw, nanog might also be a good place for a question like this...those folks seem to know a lot about internet-wide stuff and seem to be quite juniper savvy too

seeing some things about ddos in junos...

{master}
agould at lab-960> show version | grep Junos:
Junos: 17.4R1-S2.2

agould at lab-960> show ddos-protection version
DDOS protection, Version 1.1
  Total protocol groups       = 101
  Total tracked packet types  = 222

{master}
agould at lab-960> show ddos-protection protocols ?
Possible completions:
  <[Enter]>            Execute this command
  |                    Pipe through a command
  parameters           Show parameters for all protocols
  statistics           Show statistics and states for all protocols
  violations           Show summary of all protocol violations
  flow-detection       Show flow detection parameters
  culprit-flows        Show detected culprit flows
  resolve              Show resolve traffic information
  filter-action        Show filter action traffic (none-dhcp) information
.
.
.

root at lab-mx-240> show ddos-protection ?
Possible completions:
  protocols            Show protocol information
  statistics           Show overall statistics
  version              Show version
root at lab-mx-240> show ddos-protection version
DDOS protection, Version 1.0
  Total protocol groups       = 97
  Total tracked packet types  = 212

root at lab-mx-240> show version | grep Junos:
Junos: 16.1R3-S7.1

root at lab-mx-240>

- Aaron


-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of mike+jnsp at willitsonline.com
Sent: Friday, June 22, 2018 7:12 AM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] essential network rate limiting and ddos mitigation

Hello,


    I am very new to juniper, please pardon my ignorance.


    I have an MX240, and I have a 10G link to my upstream. I have
several other links facing my customers and hosting infrastructure which
all run at something decidedly less than 10G. Im interested in
implementing some network rate limit controls so that certain common
attacks like dns / ldap / memcache reflection can be rate limited down
to reasonable levels and avoid trying to forward a 4gbps stream down a
100mbps pipe. I know I want a layered system of policies and that I want
to include perhaps sampling and such with jflow or other tools and rtbh,
but for right now having even just basic limits on known reflection
attack protocols would be a huge step forward.

    I was wondering what the 'quick and dirty' setup of rate limiting
the forwarding of certain protocols and to certain destination networks
/ interfaces would look like on this platform. Some basic config
snippets would be a huge help.


Thank you.

Mike-


_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list