How to rate limit unwanted traffic in JUNOS

JUNOS has firewall filtering which is very powerful and flexible. It can be configured for pre-configured protocols and own specified ports. It can be based on source and/or destination direction of the traffic. Many more options are available including tcp-flags, tcp-established, tcp-initial, fragments and so on. Addresses can be configured within the statement or using source or destination address lists preconfigured.

Below we will give an example on how to rate limit UDP/123 reflection attacks with the JUNOS firewall function.

A reflection attack works when an attacker can send a packet with a forged source IP address. The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim. That has two effects: the actual source of the attack is hidden and is very hard to trace, and, if many Internet servers are used, an attack can consist of an overwhelming number of packets hitting a victim from all over the world.

But what makes reflection attacks really powerful is when they are also amplified. In that case, an attacker can send a small packet "from" a forged source IP address and have the server (or servers) send large replies to the victim. Amplification attacks like that result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load hitting a victim from around the Internet. Until recently the most popular protocol for amplification attacks was DNS: a small DNS query looking up the IP address of a domain name would result in a large reply. More recently we see attacks based on NTP (UDP/123) protocol. UDP-based NTP will reply to a packet with a spoofed source IP address and because at least one of its built in commands will send a long with the reply makes it ideal as a DDoS “tool”.

To help mitigate DDOS amplification attacks e.g. udp/123 attacks, you may want to enable uRPF to prevent traffic from spoofed sources as a first line of defense. Next you may want to rate-limit on responses to UDP requests at ingress (not your customers). This may require testing and base-lining to find the optimal limit that does not interfere with any legitimate traffic.This is done by applying “firewall filter activated” rate-limit at the network edge (upstream providers).

First configure a policer to limit at e.g. 10Mbps – named e.g. ‘10m-bw-limit’:

set firewall policer 10m-bw-limit if-exceeding bandwidth-limit 10m
set firewall policer 10m-bw-limit if-exceeding burst-size-limit 1m
set firewall policer 10m-bw-limit then discard

Then configure a firewall filter – named e.g. ‘protect-filter’ - to select on the type of traffic you want to limit:
set firewall filter protect-filter interface-specific
set firewall filter protect-filter term limit-udp-src-123 from protocol udp
set firewall filter protect-filter term limit-udp-src-123 from source-port 123
set firewall filter protect-filter term limit-udp-src-123 then policer 10m-bw-limit
set firewall filter protect-filter term limit-udp-src-123 then accept
set firewall filter protect-filter term accept-rest then accept

As with all Juniper firewall filters do NOT forget to specify what to do with any traffic that is not matched by the filter.

As a final step the firewall filter needs to be applied to an interface:

set interfaces xe-0/0/0 unit 0 family inet filter input protect-filter

Please be aware that firewall filtering in JUNOS can be resource intensive, that is why this can be best performed on routers which have the TRIO chipset.


Not Published

0/1000 characters
Go Top