?
Solved

EX 4500 Flood Protection

Posted on 2014-12-08
10
Medium Priority
?
455 Views
Last Modified: 2014-12-09
Is there any possibility to add the given protections to the ex4500 by security filters

Syn Flood
ACK Flood
FIN Flood
TCP Connection Flood
UDP Flood DDoS
ICMP Flood DDoS


our config as given below :


## Last changed: 2014-12-08 17:41:57 UTC
version 12.3R8.7;
system {
    host-name gate.spdnet.net;
    root-authentication {


    }
    services {
        ssh {
            protocol-version v2;
        }
        telnet;
        netconf {
            ssh;
        }
        web-management {
            http;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
chassis {
    aggregated-devices {
        ethernet {
            device-count 3;
        }
    }
}
interfaces {
    xe-0/0/0 {
        ether-options {
            802.3ad ae0;
        }
    }
    xe-0/0/1 {
        ether-options {
            802.3ad ae0;
        }
    }
    xe-0/0/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/4 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/5 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/6 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/7 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/8 {
        ether-options {
            802.3ad ae1;
        }
    }
    xe-0/0/8 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/9 {
        ether-options {
            802.3ad ae1;
        }
    }
    xe-0/0/9 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/10 {
        ether-options {
            802.3ad ae2;
        }
    }
    xe-0/0/10 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/11 {
        ether-options {
            802.3ad ae2;
        }
    }
    xe-0/0/11 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/12 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/13 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/14 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/15 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/16 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/17 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/18 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/19 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/20 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/21 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/22 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/23 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/24 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/25 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/26 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/27 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/28 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/29 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/30 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/31 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/32 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/33 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/34 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/35 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/36 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/37 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/38 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/0/39 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/2/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ae0 {
        description xxxxxx;
        aggregated-ether-options {
            minimum-links 1;
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family inet {
                rpf-check;
            }
            family ethernet-switching;
        }
    }
    ae1 {
        description "Netscaler UPlink";
        aggregated-ether-options {
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family inet {
                address 10.98.37.33/30;
            }
        }
    }
    ae2 {
        description "Netscaler Downlink";
        aggregated-ether-options {
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family ethernet-switching {
                port-mode access;
            }
        }
    }
    me0 {
        unit 0 {
            family inet;
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 10.32.35.14/30;
            }
        }
        unit 1 {
            family inet {
                filter {
                    input only-spd-network;
                }
  









            }
        }
    }
}
snmp {
    location izmir;
    contact "xxxx";
    community xxxx{
        authorization read-only;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.32.35.13;
       





    }
    autonomous-system 57844;
}
protocols {
    bgp {
        group xxxxxx{
            type external;
            description xxxxxxx;
            local-address 10.32.35.14;
            import SPD-IN;
            export SPD-OUT;
            peer-as 43391;
            neighbor 10.32.35.13;
        }
    }
    igmp-snooping {
        vlan all;
    }
    rstp;
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
    sflow {
        polling-interval 10;
        sample-rate 500;
        source-ip 185.9.157.1;
        collector 185.9.157.19;
        interfaces xe-0/0/0.0;
        interfaces xe-0/0/1.0;
    }
}
policy-options {
    prefix-list SPD-PREFIX-LIST {
        185.9.157.0/24;
    }
    policy-statement SPD-IN {
        term 1 {
            then accept;
        }
    }
    policy-statement SPD-OUT {
        term 1 {
            from {
                prefix-list SPD-PREFIX-LIST;
            }
            then {
                community + Firewall;
                accept;
            }
        }
        term 500 {
            then reject;
        }
    }
    community Firewall members [ 9121:444 43391:111 ];
}
firewall {
    family inet {
        filter only-spd-network {
            term 1 {
                from {
                    source-address {














                    }
                }
                then accept;
            }
            term 500 {
                then {
                    reject;
                }
            }
        }
    }
}
ethernet-switching-options {
    voip;
    storm-control {
        interface all;
    }
}
vlans {
    xxxxxx{
        vlan-id 51;
        interface {
            ae0.0;
        }
        l3-interface vlan.0;
    }
    default {
        l3-interface vlan.1;
    }
}

Open in new window

0
Comment
Question by:Cahit Eyigunlu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 64

Expert Comment

by:btan
ID: 40488225
Taking reference from Juniper OS guide and configuration can be a good start. It seems the means for DoS or flooding filtering is via permitting only traffic within a specified set of rate limits. Traffic that exceeds the rate limits specified by the policer is either discarded immediately or is marked as lower priority than traffic that is within the rate limits. The switch discards the lower-priority traffic when there is traffic congestion.
A policer applies two types of rate limits on traffic:
• Bandwidth—The number of bits per second permitted, on average.
• Maximum burst size—The maximum size permitted for bursts of data that exceed the given bandwidth limit.
You can define specific classes of traffic on an interface and apply a set of rate limits to each class. After you name and configure a policer, it is stored as a template. You can then use the policer in a firewall filter configuration. In Chapter 5, it drills into the Configuration Statements e.g.
The structure will be sort of the below
policer policer-name {
filter-specific;
if-exceeding {
bandwidth-limit bps;
burst-size-limit bytes;
}
then {
policer-action;
}
E.g. you can catch the pg 129 on "Configuring Policers to Control Traffic Rates (CLI Procedure)"
3. Configure rate limiting for the policer:
a. Specify the bandwidth limit in bits per second (bps) to control the traffic rate on an interface:
[edit firewall policer policer-one]
user@switch# set if-exceeding bandwidth-limit 300k
The range for the bandwidth limit is 1k through 102.3g bps.

b. Specify the burst-size limit (the maximum allowed burst size in bytes) to control the amount of traffic bursting:
[edit firewall policer policer-one]
user@switch# set if-exceeding burst-size-limit 500k
To determine the value for the burst-size limit, multiply the bandwidth of the
interface on which the filter is applied by the amount of time to allow a burst of
traffic at that bandwidth to occur:
burst size = (bandwidth) * (allowable time for burst traffic)
The range for the burst-size limit is 1 through 2,147,450,880 bytes
..and map it specific to protocol in overall rule.

http://www.juniper.net/techpubs/en_US/junos13.2/information-products/pathway-pages/ex-series/routing-policy.pdf
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40488813
but that blocks standart downloads or speed test ... etc too
0
 
LVL 64

Expert Comment

by:btan
ID: 40488829
indeed but it can rate limit those flooding and this i normally neglected as most just focus on protocol anomalies based flooding, you need layer of protection. As mentioned that is no build rule for EX switch, but you can have the rate limit with the protocol check too e.g shared in forum
term tcp-dos-protect-1 {
                from {
                    protocol tcp;
                    tcp-flags "syn&!ack";
                }
                then policer tcp-dos-policer;        
            }
            term tcp-dos-protect-2 {
                from {
                    protocol tcp;
                    tcp-flags "fin|rst";
                }
                then policer tcp-dos-policer;        
            }    

...

    policer tcp-dos-policer {
        filter-specific;
        if-exceeding {
            bandwidth-limit 500k;
            burst-size-limit 15k;
        }
        then discard;
    }
But do check out this even though it stated for DoS protection via Juniper MX router
firewall {
 policer TCP-SYN-Policer {
 if-exceeding {
 bandwidth-limit 8k;
 burst-size-limit 1500;
 }
 then discard;
 }
 family inet {
 filter DOS-Protect {
 :
 :
 /* Term tcp-syn-fin-limit: Rate limit TCP packets with SYN/FIN/RST flags. */
 term tcp-syn-fin-limit {
 from {
 protocol tcp;
 port [bgp ldp snmp snmp-trap telnet ftp ftp-data ssh];
 tcp-flags "syn | fin | rst";
 }
 then policer TCP-SYN-Policer;
 }
 :
 :
 }
http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/DOS_prevention.pdf

ref for instruction set - http://www.juniper.net/techpubs/en_US/junos9.6/information-products/topic-collections/config-guide-policy/policy-configuring-match-conditions-in-firewall-filter-terms.html
0
The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

 

Author Comment

by:Cahit Eyigunlu
ID: 40490260
owww i see i need to ask one last thing  ,
is there any possbility to block ack calls ? i mean i want to block ack and fin attacks which is not create syn call directly , how should i block them  ?
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40490348
and is that apply ip based or port based
0
 
LVL 64

Expert Comment

by:btan
ID: 40490375
in fact, my last posting stating tcp-dos-protect-1 and tcp-dos-protect-2 are already doing that for ack and fin respectively. the tcp-dos-policer limit it and if exceed threshold will block it. if you want to remove limit and simply block, you can just take away the "if-exceeding" (and content). I consider them as direct attack but for those such as spoofed flooding (from fake source etc), other DoS measures should come more readily from the FW and IPS/IDS instead solely relying on switch per se. But minimally I understand EX 4500 12.1R1 has IP Source Guard
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40490381
we have added this filter to the ex4500 and all inbound network gone :)


firewall {
    family inet {
        filter only-spd-network {
            term 1 {
                from {
                    source-address {


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

                    }
                }
                then accept;
            }
            term 500 {
                then {
                    reject;
                }
            }
        }
        filter out-syn-limit {
            term tcp-dos-protect-1 {
                from {
                    protocol tcp;
                    tcp-flags "syn&!ack";
                }
                then policer tcp-dos-policer;
            }
            term tcp-dos-protect-2 {
                from {
                    protocol tcp;
                    tcp-flags "fin|rst";
                }
                then policer tcp-dos-policer;
            }
        }
    }
    policer tcp-dos-policer {
        filter-specific;
        if-exceeding {
            bandwidth-limit 200m;
            burst-size-limit 15m;
        }
        then discard;
    }
}

Open in new window

0
 
LVL 64

Accepted Solution

by:
btan earned 1500 total points
ID: 40490427
pardon me as I am no script fellow, but can you check out "2.4 Protecting against TCP syn/rst attacks" in prev shared pdf
http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/DOS_prevention.pdf

Also the "Appendix A Baselining Network Traffic using Router and Firewall Counters" and "Appendix B JUNOS Software Router Configuration for Counting Traffic ", can help to strike balance on the threshold in your env.
http://jncie.files.wordpress.com/2008/09/801003_protecting-the-network-from-denial-of-service-floods.pdf
0
 

Author Closing Comment

by:Cahit Eyigunlu
ID: 40490570
thank you have a nice day
0
 
LVL 64

Expert Comment

by:btan
ID: 40490579
Appreciate it thanks!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
This program is used to assist in finding and resolving common problems with wireless connections.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question