[j-nsp] [EXT] Re: Decoding DDOS messages
Saku Ytti
saku at ytti.fi
Wed Mar 18 12:33:11 EDT 2020
On Wed, 18 Mar 2020 at 18:28, Chuck Anderson <cra at wpi.edu> wrote:
> term bgp-inbound {
> from {
> source-prefix-list {
> bgp-neighbors-v4;
> }
> protocol tcp;
> source-port 1024-65535;
This is immaterial, you don't care what this SPORT is. Be liberal.
> term bgp-replies {
> from {
> source-prefix-list {
> bgp-neighbors-v4;
> }
> protocol tcp;
> source-port bgp;
> destination-port 1024-65535;
This you care very much, and ephemeral range in your device is
49125-65535, 1024-49124 could have something listening in them.
If you are in position where you only have customers and RR, no peers
or anything else where there is no 'owner'. You should set your
customer BGP to passive, so customer _always_ starts the BGP, you will
never try to start it. Equally you should set your RR to passive, so
clients always connect to RR, RR never.
This will allow greatly simplified filters for BGP, much safer, as
well as trivial way to police iBGP and eBGP separately, in times when
dddos-protection was not available.
--
++ytti
More information about the juniper-nsp
mailing list