On Thu, 17 Mar 2011, Brandon Ross wrote:
On Thu, 17 Mar 2011, Clarke Morledge wrote:
What I have in mind is some way to use the SRX to grab the IPs of
misbehaving hosts and put the address in a RIB. Then I can use routing
policy to put the route into a BGP feed to a border router that would null
route traffic to and from that IP address using tricks with Unicast Reverse
Path Forwarding.
Cool, so if a miscreant wants to DoS you, all he has to do is spoof source
traffic from any destinations that are important to you and you'll do the
null routing for him, eh?
Brandon,
As I mentioned in my original post, there are all sorts of DOS issues to
consider, and your point is one of them.
However, isn't this an issue with any inline IPS that has some type of
quarantining function? Furthermore, doesn't the IDP functionality on the
SRX itself suffer the same limitation?
My main consideration is to take the IPS-ish intelligence on the SRX and
push the quarantining function back to a routing device further upstream.
There's a lot of low hanging fruit you could deal with in this way. We
already use blacklisting via null routing with uRPF very effectively.
But we have to manually add to the blacklist. The question I have is
whether you can automate this via the SRX, aside from the DoS concern.
Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp