[j-nsp] Juniper UDP Amplification Attack - UDP port 111 ?
Chris Kawchuk
juniperdude at gmail.com
Fri Mar 16 05:29:33 EDT 2018
Hey Pierre,
Yep Agreed -- this goes back to Saku Ytti's et al's discussion ([j-nsp] DDoS to core interface - mitigation) a few weeks back re: IP block used just for infrastructure...and either filter it, rate-limit it, or simply don't announce it. Sage advice. Note that this was a lab-box on my end where I noticed it; (vmx1.mel-lab1) hence not really a "production" device and hence not part of the protected infrastructure range. (note to self: also de-announce the Lab /24 ...)
vMX 17.4 dropped recently (I was hoping for Mellanox SR-IOV drivers, but I think that's an vMX 18.1 thing...) and was just playing around with it since yesterday. Looks like the scan-bots found it quick.
- Ck.
On 16 Mar 2018, at 8:12 pm, Pierre Emeriaud <petrus.lt at gmail.com> wrote:
> this is definitely not on the host:
>
> user at mx960> show system connections inet | match .111
> tcp4 0 0 *.111 *.*
> LISTEN
> udp4 0 0 *.111 *.*
>
> Chris, besides filters, using un-announced prefixes for your backbone
> would prevent this kind of issues (and some others).
More information about the juniper-nsp
mailing list