Hi Mike, I would like to hear from others about anything that might be built into Junos regarding intrusion or ddos types of traffic handling... (I do see ddos mentioned in cli shown below) since I too will soon have at least 2 and maybe 3, MX960 boundary routers between my ISP and the internet and will need to do this in Junos also...
...now, I can say that I accomplished something to which you are asking on my current internet boundary ASR9k's using home-grown, crafted ddos mitigation strategy... It goes back a few years when we were getting slammed with volumetric-type ddos and it was filling up my lower speed internal distribution network links, and occasionally even filling up our internet links as well (more on that later)... We did talk to vendors like Arbor and Radware and others, but they cost a lot depending on size and aren't exactly simple either.... What we did was, using netflow and other common knowledge and research, crafted a sort of defense-in-depth strategy... ...if it absolutely does not need to come through and has no legitimate uses, drop it. Acl inbound, deny. ...it it has real uses, like ntp, dns, etc, but absolutely should not be coming in at rate of 2 gbps !!!, then put it into a policer bucket at a realistic level... we did this with cisco mqc type service-policy, policy-map, class-map, acls, etc. ...there are other attack vectors that we learned about via netflow that we crafter other udp port lists and applied to other policer buckets with manageable levels... ...if it's a sustained attack and filling up our internet uplinks or repeated to same victim, then we trigger rtbh which is a set of bgp /32's advertisements or communities that get advertised out to our (3) upstream providers and that stops the attack out in the cloud and no longer arrives at our "front doot" filling up or internet connections. My rtbh trigger router is a cisco 2600 which has a 100 mbps connection, and I gave the NOC a job aid (script of cli commands) which are very simply a couple lines of commands that have the ip of the victim under attack and they paste that into the 2600 cli and like lightning fast, that advertisement is bgp advertised to my boundaries/cogent (since they do rtbh differently than my other 2) with needed communities applied and attack stops. ...I recall the way we learn about the victim ip under attack is via netflow alers using nfsen/nfdump alerts sent to cell phones and noc email btw, nanog might also be a good place for a question like this...those folks seem to know a lot about internet-wide stuff and seem to be quite juniper savvy too seeing some things about ddos in junos... {master} agould@lab-960> show version | grep Junos: Junos: 17.4R1-S2.2 agould@lab-960> show ddos-protection version DDOS protection, Version 1.1 Total protocol groups = 101 Total tracked packet types = 222 {master} agould@lab-960> show ddos-protection protocols ? Possible completions: <[Enter]> Execute this command | Pipe through a command parameters Show parameters for all protocols statistics Show statistics and states for all protocols violations Show summary of all protocol violations flow-detection Show flow detection parameters culprit-flows Show detected culprit flows resolve Show resolve traffic information filter-action Show filter action traffic (none-dhcp) information . . . root@lab-mx-240> show ddos-protection ? Possible completions: protocols Show protocol information statistics Show overall statistics version Show version root@lab-mx-240> show ddos-protection version DDOS protection, Version 1.0 Total protocol groups = 97 Total tracked packet types = 212 root@lab-mx-240> show version | grep Junos: Junos: 16.1R3-S7.1 root@lab-mx-240> - Aaron -----Original Message----- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of mike+j...@willitsonline.com Sent: Friday, June 22, 2018 7:12 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] essential network rate limiting and ddos mitigation Hello, I am very new to juniper, please pardon my ignorance. I have an MX240, and I have a 10G link to my upstream. I have several other links facing my customers and hosting infrastructure which all run at something decidedly less than 10G. Im interested in implementing some network rate limit controls so that certain common attacks like dns / ldap / memcache reflection can be rate limited down to reasonable levels and avoid trying to forward a 4gbps stream down a 100mbps pipe. I know I want a layered system of policies and that I want to include perhaps sampling and such with jflow or other tools and rtbh, but for right now having even just basic limits on known reflection attack protocols would be a huge step forward. I was wondering what the 'quick and dirty' setup of rate limiting the forwarding of certain protocols and to certain destination networks / interfaces would look like on this platform. Some basic config snippets would be a huge help. Thank you. Mike- _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp