Re: [j-nsp] SRX: rate-limiting source NAT sources

Tue, 30 Oct 2012 01:10:36 -0700 

You can limit flows per individual source IP (not NAT ports) using UTM
https://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/configuration-statement/security-edit-limit.html
You'll need a UTM license.
And if you are doing NAT on branch SRX, UTM is supported only on high-memory branch SRX boxes. 
Thanks
Alex
----- Original Message ----- From: "Jonathan Lassoff" <j...@thejof.com> 
To: <juniper-nsp@puck.nether.net>
Sent: Monday, October 29, 2012 9:55 PM
Subject: [j-nsp] SRX: rate-limiting source NAT sources



So, I'm working on tuning an SRX deployment and am wondering if
something is possible.

This deployment is doing a lot of source NAT for a wide variety of
endpoints as they egress out to the Internet. Pretty vanilla
configuration.
Specific sources are mapped via NAT rules to specific egress IPs (for
IP filtering in some places, outside of the SRXes in question).

And once in a while, some endpoint will have a legitimate need to open
up *many* connections (and then NAT states) that pass over this SRX
deployment.
Unfortunately, the rate of connection establishment relative to the
application timeouts means that these heavy users can use up all of
the ephemeral ports, blocking new flows from becoming established.

We've been playing a bit of whack-a-mole, assigning more IP space to
the various source NAT pools, but would like to find a more proper
solution.


So, my question is this: is there any mechanism anyone knows of to
rate-limit or block-past-a-threshold a "source NAT" source if it
starts making too many connections?
I don't see anything obvious in the SRX documentation, so I figured
I'd ask here for pointers.

Right now, it's way to easy for one bad actor (malicious or
benevolent) to max out a source NAT pool.

Cheers,
jof
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Reply via email to