[j-nsp] [EXT] Re: Decoding DDOS messages
Chuck Anderson
cra at WPI.EDU
Wed Mar 18 12:28:48 EDT 2020
On Wed, Mar 18, 2020 at 11:16:54AM -0500, John Kristoff wrote:
> On Wed, 18 Mar 2020 16:02:09 +0000
> Saku Ytti <saku at ytti.fi> wrote:
>
> > It is completely broken, you use 'port' so you expose every port in your system.
>
> Ha, OK thanks. I think that would require some not so easy spoofing
> unless I'm missing something. We can convert any statement that just
> uses port to directional, which I think will require additional rules
> to tighten it up. Feel free to submit example configs.
To bypass your filter, just SSH using source port 179 (bgp), destination port 22, and you are in (as long as you are a BGP neighbor for this specific term):
filter loopback-v4 {
term bgp {
from {
source-prefix-list {
bgp-neighbors-v4;
}
protocol tcp;
port bgp;
}
then {
count bgp;
accept;
}
}
Fix:
/* allow inbound BGP connections */
term bgp-inbound {
from {
source-prefix-list {
bgp-neighbors-v4;
}
protocol tcp;
source-port 1024-65535;
destination-port bgp;
}
then {
count bgp;
accept;
}
}
/* allow reply packets to outbound BGP connections */
term bgp-replies {
from {
source-prefix-list {
bgp-neighbors-v4;
}
protocol tcp;
source-port bgp;
destination-port 1024-65535;
tcp-established;
}
then {
count bgp-replies;
accept;
}
}
More information about the juniper-nsp
mailing list