Solved

EX 4500 Flood Protection

Posted on 2014-12-08
10
398 Views
Last Modified: 2014-12-09
Is there any possibility to add the given protections to the ex4500 by security filters

Syn Flood
ACK Flood
FIN Flood
TCP Connection Flood
UDP Flood DDoS
ICMP Flood DDoS


our config as given below :


## Last changed: 2014-12-08 17:41:57 UTC
version 12.3R8.7;
system {
    host-name gate.spdnet.net;
    root-authentication {


    }
    services {
        ssh {
            protocol-version v2;
        }
        telnet;
        netconf {
            ssh;
        }
        web-management {
            http;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
chassis {
    aggregated-devices {
        ethernet {
            device-count 3;
        }
    }
}
interfaces {
    xe-0/0/0 {
        ether-options {
            802.3ad ae0;
        }
    }
    xe-0/0/1 {
        ether-options {
            802.3ad ae0;
        }
    }
    xe-0/0/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/4 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/5 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/6 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/7 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/8 {
        ether-options {
            802.3ad ae1;
        }
    }
    xe-0/0/8 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/9 {
        ether-options {
            802.3ad ae1;
        }
    }
    xe-0/0/9 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/10 {
        ether-options {
            802.3ad ae2;
        }
    }
    xe-0/0/10 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/11 {
        ether-options {
            802.3ad ae2;
        }
    }
    xe-0/0/11 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/12 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/13 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/14 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/15 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/16 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/17 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/18 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/19 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/20 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/21 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/22 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/23 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/24 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/25 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/26 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/27 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/28 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/29 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/30 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/31 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/32 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/33 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/34 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/35 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/36 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/37 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/38 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/39 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ae0 {
        description xxxxxx;
        aggregated-ether-options {
            minimum-links 1;
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family inet {
                rpf-check;
            }
            family ethernet-switching;
        }
    }
    ae1 {
        description "Netscaler UPlink";
        aggregated-ether-options {
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family inet {
                address 10.98.37.33/30;
            }
        }
    }
    ae2 {
        description "Netscaler Downlink";
        aggregated-ether-options {
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family ethernet-switching {
                port-mode access;
            }
        }
    }
    me0 {
        unit 0 {
            family inet;
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 10.32.35.14/30;
            }
        }
        unit 1 {
            family inet {
                filter {
                    input only-spd-network;
                }
  









            }
        }
    }
}
snmp {
    location izmir;
    contact "xxxx";
    community xxxx{
        authorization read-only;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.32.35.13;
       





    }
    autonomous-system 57844;
}
protocols {
    bgp {
        group xxxxxx{
            type external;
            description xxxxxxx;
            local-address 10.32.35.14;
            import SPD-IN;
            export SPD-OUT;
            peer-as 43391;
            neighbor 10.32.35.13;
        }
    }
    igmp-snooping {
        vlan all;
    }
    rstp;
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
    sflow {
        polling-interval 10;
        sample-rate 500;
        source-ip 185.9.157.1;
        collector 185.9.157.19;
        interfaces xe-0/0/0.0;
        interfaces xe-0/0/1.0;
    }
}
policy-options {
    prefix-list SPD-PREFIX-LIST {
        185.9.157.0/24;
    }
    policy-statement SPD-IN {
        term 1 {
            then accept;
        }
    }
    policy-statement SPD-OUT {
        term 1 {
            from {
                prefix-list SPD-PREFIX-LIST;
            }
            then {
                community + Firewall;
                accept;
            }
        }
        term 500 {
            then reject;
        }
    }
    community Firewall members [ 9121:444 43391:111 ];
}
firewall {
    family inet {
        filter only-spd-network {
            term 1 {
                from {
                    source-address {














                    }
                }
                then accept;
            }
            term 500 {
                then {
                    reject;
                }
            }
        }
    }
}
ethernet-switching-options {
    voip;
    storm-control {
        interface all;
    }
}
vlans {
    xxxxxx{
        vlan-id 51;
        interface {
            ae0.0;
        }
        l3-interface vlan.0;
    }
    default {
        l3-interface vlan.1;
    }
}

Open in new window

0
Comment
Question by:Cahit Eyigunlu
  • 5
  • 5
10 Comments
 
LVL 61

Expert Comment

by:btan
ID: 40488225
Taking reference from Juniper OS guide and configuration can be a good start. It seems the means for DoS or flooding filtering is via permitting only traffic within a specified set of rate limits. Traffic that exceeds the rate limits specified by the policer is either discarded immediately or is marked as lower priority than traffic that is within the rate limits. The switch discards the lower-priority traffic when there is traffic congestion.
A policer applies two types of rate limits on traffic:
• Bandwidth—The number of bits per second permitted, on average.
• Maximum burst size—The maximum size permitted for bursts of data that exceed the given bandwidth limit.
You can define specific classes of traffic on an interface and apply a set of rate limits to each class. After you name and configure a policer, it is stored as a template. You can then use the policer in a firewall filter configuration. In Chapter 5, it drills into the Configuration Statements e.g.
The structure will be sort of the below
policer policer-name {
filter-specific;
if-exceeding {
bandwidth-limit bps;
burst-size-limit bytes;
}
then {
policer-action;
}
E.g. you can catch the pg 129 on "Configuring Policers to Control Traffic Rates (CLI Procedure)"
3. Configure rate limiting for the policer:
a. Specify the bandwidth limit in bits per second (bps) to control the traffic rate on an interface:
[edit firewall policer policer-one]
user@switch# set if-exceeding bandwidth-limit 300k
The range for the bandwidth limit is 1k through 102.3g bps.

b. Specify the burst-size limit (the maximum allowed burst size in bytes) to control the amount of traffic bursting:
[edit firewall policer policer-one]
user@switch# set if-exceeding burst-size-limit 500k
To determine the value for the burst-size limit, multiply the bandwidth of the
interface on which the filter is applied by the amount of time to allow a burst of
traffic at that bandwidth to occur:
burst size = (bandwidth) * (allowable time for burst traffic)
The range for the burst-size limit is 1 through 2,147,450,880 bytes
..and map it specific to protocol in overall rule.

http://www.juniper.net/techpubs/en_US/junos13.2/information-products/pathway-pages/ex-series/routing-policy.pdf
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40488813
but that blocks standart downloads or speed test ... etc too
0
 
LVL 61

Expert Comment

by:btan
ID: 40488829
indeed but it can rate limit those flooding and this i normally neglected as most just focus on protocol anomalies based flooding, you need layer of protection. As mentioned that is no build rule for EX switch, but you can have the rate limit with the protocol check too e.g shared in forum
term tcp-dos-protect-1 {
                from {
                    protocol tcp;
                    tcp-flags "syn&!ack";
                }
                then policer tcp-dos-policer;        
            }
            term tcp-dos-protect-2 {
                from {
                    protocol tcp;
                    tcp-flags "fin|rst";
                }
                then policer tcp-dos-policer;        
            }    

...

    policer tcp-dos-policer {
        filter-specific;
        if-exceeding {
            bandwidth-limit 500k;
            burst-size-limit 15k;
        }
        then discard;
    }
But do check out this even though it stated for DoS protection via Juniper MX router
firewall {
 policer TCP-SYN-Policer {
 if-exceeding {
 bandwidth-limit 8k;
 burst-size-limit 1500;
 }
 then discard;
 }
 family inet {
 filter DOS-Protect {
 :
 :
 /* Term tcp-syn-fin-limit: Rate limit TCP packets with SYN/FIN/RST flags. */
 term tcp-syn-fin-limit {
 from {
 protocol tcp;
 port [bgp ldp snmp snmp-trap telnet ftp ftp-data ssh];
 tcp-flags "syn | fin | rst";
 }
 then policer TCP-SYN-Policer;
 }
 :
 :
 }
http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/DOS_prevention.pdf

ref for instruction set - http://www.juniper.net/techpubs/en_US/junos9.6/information-products/topic-collections/config-guide-policy/policy-configuring-match-conditions-in-firewall-filter-terms.html
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40490260
owww i see i need to ask one last thing  ,
is there any possbility to block ack calls ? i mean i want to block ack and fin attacks which is not create syn call directly , how should i block them  ?
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40490348
and is that apply ip based or port based
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 61

Expert Comment

by:btan
ID: 40490375
in fact, my last posting stating tcp-dos-protect-1 and tcp-dos-protect-2 are already doing that for ack and fin respectively. the tcp-dos-policer limit it and if exceed threshold will block it. if you want to remove limit and simply block, you can just take away the "if-exceeding" (and content). I consider them as direct attack but for those such as spoofed flooding (from fake source etc), other DoS measures should come more readily from the FW and IPS/IDS instead solely relying on switch per se. But minimally I understand EX 4500 12.1R1 has IP Source Guard
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40490381
we have added this filter to the ex4500 and all inbound network gone :)


firewall {
    family inet {
        filter only-spd-network {
            term 1 {
                from {
                    source-address {


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

                    }
                }
                then accept;
            }
            term 500 {
                then {
                    reject;
                }
            }
        }
        filter out-syn-limit {
            term tcp-dos-protect-1 {
                from {
                    protocol tcp;
                    tcp-flags "syn&!ack";
                }
                then policer tcp-dos-policer;
            }
            term tcp-dos-protect-2 {
                from {
                    protocol tcp;
                    tcp-flags "fin|rst";
                }
                then policer tcp-dos-policer;
            }
        }
    }
    policer tcp-dos-policer {
        filter-specific;
        if-exceeding {
            bandwidth-limit 200m;
            burst-size-limit 15m;
        }
        then discard;
    }
}

Open in new window

0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40490427
pardon me as I am no script fellow, but can you check out "2.4 Protecting against TCP syn/rst attacks" in prev shared pdf
http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/DOS_prevention.pdf

Also the "Appendix A Baselining Network Traffic using Router and Firewall Counters" and "Appendix B JUNOS Software Router Configuration for Counting Traffic ", can help to strike balance on the threshold in your env.
http://jncie.files.wordpress.com/2008/09/801003_protecting-the-network-from-denial-of-service-floods.pdf
0
 

Author Closing Comment

by:Cahit Eyigunlu
ID: 40490570
thank you have a nice day
0
 
LVL 61

Expert Comment

by:btan
ID: 40490579
Appreciate it thanks!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now