3

So I've read a number of white papers from Juniper containing some DOS prevention strategies. I'm not looking to prevent any one in particular, but rather just ensure the network is as best protected as possible.

But I'm not inclined to copy+paste configs I've found online without fully knowing the implications.

I've got a EX4200 sat on the internet with a number of public subnets, all in their own VLANs with RVIs each.

This is one example I've found ...

term tcp-dos-protect-1 {
    from {
        protocol tcp;
        tcp-flags "syn&!ack";
    }
    then policer tcp-dos-policer;        
}
term tcp-dos-protect-2 {
    from {
        protocol tcp;
        tcp-flags "fin|rst";
    }
    then policer tcp-dos-policer;        
}     

...

policer tcp-dos-policer {
    filter-specific;
    if-exceeding {
        bandwidth-limit 500k;
        burst-size-limit 15k;
    }
    then discard;
}

Now, would this particular rule affect genuine traffic? Under heavy network conditions - would it just start dropping genuine traffic, or does it really only block "bad" traffic ?

choco-loo
  • 499
  • 1
  • 4
  • 14

1 Answers1

0

Without knowing how much data your environment serves, this filter shouldn’t present any issues. It’s setting a hard limit on tcp-initializations and finished/reset flags at 500Kb/s. To reach this limit, you would need to be serving several million new TCP requests per second. Even if some good packets did reach that hard limit, they would just drop and then attempt again in a few seconds.

This is also (unfortunately) true for people attempting to DoS your servers. If a single host was able to initiate several thousand connections to one of your servers every second, you’d still be in trouble.

The thing to note about these filters is that it’s a very crude way of limiting traffic; in other words, it’s limited but efficient. It’s good for making sure no unnecessary traffic traverses your network, but web-server technologies (e.g. mod_security, mod_evasive, etc.) will always do a more intelligent job of managing your server load and figuring out what it should and shouldn’t be handling out.

In the example above, a person attempting repeat connections at those levels would be blocked for a predetermined amount of time. The most you'd lose is a marginal amount of bandwidth and enough processing to close the connection.

Ryan Foley
  • 190
  • 3
  • 11