Hi Mike, I would like to hear from others about anything that might be built
into Junos regarding intrusion or ddos types of traffic handling... (I do see
ddos mentioned in cli shown below) since I too will soon have at least 2 and
maybe 3, MX960 boundary routers between my ISP and the internet and will need
to do this in Junos also...
...now, I can say that I accomplished something to which you are asking on my
current internet boundary ASR9k's using home-grown, crafted ddos mitigation
strategy...
It goes back a few years when we were getting slammed with volumetric-type ddos
and it was filling up my lower speed internal distribution network links, and
occasionally even filling up our internet links as well (more on that later)...
We did talk to vendors like Arbor and Radware and others, but they cost a lot
depending on size and aren't exactly simple either....
What we did was, using netflow and other common knowledge and research, crafted
a sort of defense-in-depth strategy...
...if it absolutely does not need to come through and has no legitimate uses,
drop it. Acl inbound, deny.
...it it has real uses, like ntp, dns, etc, but absolutely should not be coming
in at rate of 2 gbps !!!, then put it into a policer bucket at a realistic
level... we did this with cisco mqc type service-policy, policy-map, class-map,
acls, etc.
...there are other attack vectors that we learned about via netflow that we
crafter other udp port lists and applied to other policer buckets with
manageable levels...
...if it's a sustained attack and filling up our internet uplinks or repeated
to same victim, then we trigger rtbh which is a set of bgp /32's advertisements
or communities that get advertised out to our (3) upstream providers and that
stops the attack out in the cloud and no longer arrives at our "front doot"
filling up or internet connections. My rtbh trigger router is a cisco 2600
which has a 100 mbps connection, and I gave the NOC a job aid (script of cli
commands) which are very simply a couple lines of commands that have the ip of
the victim under attack and they paste that into the 2600 cli and like
lightning fast, that advertisement is bgp advertised to my boundaries/cogent
(since they do rtbh differently than my other 2) with needed communities
applied and attack stops.
...I recall the way we learn about the victim ip under attack is via netflow
alers using nfsen/nfdump alerts sent to cell phones and noc email
btw, nanog might also be a good place for a question like this...those folks
seem to know a lot about internet-wide stuff and seem to be quite juniper savvy
too
seeing some things about ddos in junos...
{master}
agould@lab-960> show version | grep Junos:
Junos: 17.4R1-S2.2
agould@lab-960> show ddos-protection version
DDOS protection, Version 1.1
Total protocol groups = 101
Total tracked packet types = 222
{master}
agould@lab-960> show ddos-protection protocols ?
Possible completions:
<[Enter]> Execute this command
| Pipe through a command
parameters Show parameters for all protocols
statistics Show statistics and states for all protocols
violations Show summary of all protocol violations
flow-detection Show flow detection parameters
culprit-flows Show detected culprit flows
resolve Show resolve traffic information
filter-action Show filter action traffic (none-dhcp) information
.
.
.
root@lab-mx-240> show ddos-protection ?
Possible completions:
protocols Show protocol information
statistics Show overall statistics
version Show version
root@lab-mx-240> show ddos-protection version
DDOS protection, Version 1.0
Total protocol groups = 97
Total tracked packet types = 212
root@lab-mx-240> show version | grep Junos:
Junos: 16.1R3-S7.1
root@lab-mx-240>
- Aaron
-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of
mike+j...@willitsonline.com
Sent: Friday, June 22, 2018 7:12 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] essential network rate limiting and ddos mitigation
Hello,
I am very new to juniper, please pardon my ignorance.
I have an MX240, and I have a 10G link to my upstream. I have
several other links facing my customers and hosting infrastructure which
all run at something decidedly less than 10G. Im interested in
implementing some network rate limit controls so that certain common
attacks like dns / ldap / memcache reflection can be rate limited down
to reasonable levels and avoid trying to forward a 4gbps stream down a
100mbps pipe. I know I want a layered system of policies and that I want
to include perhaps sampling and such with jflow or other tools and rtbh,
but for right now having even just basic limits on known reflection
attack protocols would be a huge step forward.
I was wondering what the 'quick and dirty' setup of rate limiting
the forwarding of certain protocols and to certain destination networks
/ interfaces would look like on this platform. Some basic config
snippets would be a huge help.
Thank you.
Mike-
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
