Example: Configuring Firewall Filters

The following example shows how to configure a firewall filter to protect the Routing Engine. To protect the Routing Engine, it is important to constrain the traffic load from each of the allowed services. Rate-limiting control traffic helps protect the Routing Engine from attack packets that are forged such that they appear to be legitimate traffic and are then sent at such a high rate as to cause a DoS attack.

Routing and control traffic are essential to proper functioning of the router, and rapid convergence of routing protocols is crucial for stabilizing the network during times of network instability. While it might seem desirable to limit the amount of routing protocol traffic to protect against various types of attacks, it is very difficult to determine a fixed maximum rate for protocol traffic, because it depends upon the number of peers and adjacencies, which varies over time. Therefore, it is best not to rate-limit routing protocol traffic.

By contrast, because management traffic is less essential and more deterministic than routing protocol traffic, it can be policed to a fixed rate, to prevent it from consuming resources necessary for less flexible traffic. We recommend allocating a fixed amount of bandwidth to each type of management traffic so that an attacker cannot consume all the router’s CPU if an attack is launched using any single service.

[edit]firewall {filter protect-routing-engine {policer ssh-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 15k;}then discard;}policer small-bandwidth-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 15k;}then discard;}policer snmp-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 15k;}then discard;}policer ntp-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 15k;}then discard;}policer dns-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 15k;}then discard;}policer radius-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 15k;}then discard;}policer tcp-policer {if-exceeding {bandwidth-limit 500k;burst-size-limit 15k;}then discard;}/* The following terms accept traffic only from the trusted sources. The trusted traffic is rate-limited with the exception of the routing protocols. *//* The following term protects against ICMP flooding attacks against the Routing Engine. */term icmp {from {protocol icmp;icmp-type [ echo-request echo-reply unreachable time-exceeded ];}then {policer small-bandwidth-policer;accept;}}term tcp-connection {from {source-prefix-list {ssh-addresses;bgp-addresses;}protocol tcp;tcp-flags "(syn & !ack) | fin | rst";}then {policer tcp-policer;accept;}}/* The following term protects SSH traffic destined for the Routing Engine. */term ssh {from {source-prefix-list {ssh-addresses;}protocol tcp;port [ ssh telnet ];}policer ssh-policer;then accept;}/* The following term protects BGP traffic destined for the Routing Engine. */term bgp {from {source-prefix-list {bgp-addresses;}protocol tcp;port bgp;}then accept;}term snmp {from {source-prefix-list {snmp-addresses;}protocol udp;port snmp;}then {policer snmp-policer;accept;}}term ntp {from {source-prefix-list {ntp-addresses;}protocol udp;port ntp;}then {policer ntp-policer;accept;}}term dns {from {source-address {dns-addresses;}protocol udp;port domain;}then {policer dns-policer;accept;}}term radius {from {source-address {radius-addresses;}protocol udp;port radius;}then {policer radius-policer;accept;}}term trace-route {from {protocol udp;destination-port 33434-33523;}then {policer small-bandwidth-policer;accept;}/* All other traffic that is not trusted is silently dropped. We recommend logging the denied traffic for analysis purposes. */term everything-else {then {syslog;log;discard;}}}}}

Related Topics

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.