[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring a Routing Engine Firewall Filter to Protect Against TCP and ICMP Floods

The procedure in this section creates a sample stateless firewall filter, protect-RE, that limits certain TCP and ICMP traffic destined for the Routing Engine. A router without this kind of protection is vulnerable to TCP and ICMP flood attacks—also called denial-of-service (DoS) attacks. For example:

Applying a firewall filter like protect-RE to the Routing Engine protects against these types of attacks.

For each term in the sample filter, you first create a policer and then incorporate it into the action of the term. For more information about firewall filter policers, see the JUNOS Policy Framework Configuration Guide.

If you want to include the terms created in this procedure in the protect-RE firewall filter configured in the previous section (see Configuring a Routing Engine Firewall Filter for Services and Protocols from Trusted Sources), perform the configuration tasks in this section first, then configure the terms as described in the previous section. This approach ensures that the rate-limiting terms are included as the first two terms in the firewall filter.

Note: You can move terms within a firewall filter by using the insert CLI command. For more information, see the J-series Services Router Basic LAN and WAN Access Configuration Guide.

Table 102 lists the terms that are configured in this sample filter.

Table 102: Sample Stateless Firewall Filter protect-RE Terms to Protect Against Floods

Term

Purpose

Policer

tcp-connection-term

Polices the following types of TCP packets with a source address of 192.168.122.0/24 or 10.2.1.0/24:

  • Connection request packets (SYN and ACK flag bits equal 1 and 0)
  • Connection release packets (FIN flag bit equals 1)
  • Connection reset packets (RST flag bit equals 1)

tcp-connection-policer—Limits the traffic rate and burst size of these TCP packets to 500,000 bps and 15,000 bytes. Packets that exceed the traffic rate are discarded.

icmp-term

Polices the following types of ICMP packets. All are counted in counter icmp-counter.

  • Echo request packets
  • Echo response packets
  • Unreachable packets
  • Time-exceeded packets

icmp-policer—Limits the traffic rate and burst size of these ICMP packets to 1,000,000 bps and 15,000 bytes. Packets that exceed the traffic rate are discarded.

To use the configuration editor to configure the policers and the stateless firewall filter:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. To configure the firewall filter policers, perform the configuration tasks described in Table 103.
  3. To configure the prefix lists and the firewall filter, perform the configuration tasks described in Table 104.
  4. If you are finished configuring the router, commit the configuration.
  5. Go on to one of the following procedures:

Table 103: Configuring Policers for TCP and ICMP

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Firewall level in the configuration hierarchy.
  1. In the J-Web interface, select Configuration>View and Edit>Edit Configuration.
  2. Next to Firewall, click Configure or Edit.

From the [edit] hierarchy level, enter

edit firewall

Define tcp-connection-policer and set its rate limits.

The burst size limit can be from 1,500 bytes through 100,000,000 bytes.

The bandwidth limit can be from 32,000 bps through 32,000,000,000 bps.

Use the following abbreviations when specifying these limits:

  • k (1000)
  • m (1,000,000)
  • g (1,000,000,000)
  1. Next to Policer, click Add new entry.
  2. In the Policer name box, type tcp-connection-policer.
  3. Next to Filter specific, select the check box.
  4. Next to If Exceeding, select the check box and click Configure.
  5. In the Burst size limit box, type 15k.
  6. In the Bandwidth list, select Bandwidth limit.
  7. In the Bandwidth limit box, type 500k.
  8. Click OK.

Set the policer name and its rate limits:

set policer tcp-connection-policer filter-specific if-exceeding burst-size-limit 15k bandwidth-limit 500k

Define the policer action for tcp-connection-policer.
  1. On the Policer tcp-connection-policer page, next to Then, click Configure.
  2. Next to Discard, select the check box.
  3. Click OK twice.

Set the policer action:

set policer tcp-connection-policer then discard

Define icmp-policer and set its rate limits.

The burst size limit can be from 1,500 bytes through 100,000,000 bytes.

The bandwidth limit can be from 32,000 bps through 32,000,000,000 bps.

Use the following abbreviations when specifying these limits:

  • k (1000)
  • m (1,000,000)
  • g (1,000,000,000)
  1. On the Firewall page, next to Policer, click Add new entry.
  2. In the Policer name box, type icmp-policer.
  3. Next to Filter specific, select the check box.
  4. Next to If Exceeding, select the check box and click Configure.
  5. In the Burst size limit box, type 15k.
  6. In the Bandwidth list, select Bandwidth limit.
  7. In the Bandwidth limit box, type 1m.
  8. Click OK.

Set the policer name and its rate limits:

set policer icmp-policer filter-specific if-exceeding burst-size-limit 15k bandwidth-limit 1m

Define the policer action for icmp-policer.
  1. On the Policer icmp-policer page, next to Then, click Configure.
  2. Next to Discard, select the check box.
  3. Click OK three times.

Set the policer action:

set policer icmp-policer then discard

Table 104: Configuring a TCP and ICMP Flood Firewall Filter for the Routing Engine

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Policy options level in the configuration hierarchy.
  1. In the J-Web interface, select Configuration>View and Edit>Edit Configuration.
  2. Next to Policy options, click Configure or Edit.

From the [edit] hierarchy level, enter

edit policy-options

Define the prefix list trusted-addresses.
  1. Next to Prefix list, click Add new entry.
  2. In the Name box, type trusted-addresses.
  3. Next to Prefix list item, click Add new entry.
  4. In the Prefix box, type 192.168.122.0/24.
  5. Click OK.
  6. Next to Prefix list item, click Add new entry.
  7. In the Prefix box, type 10.2.1.0/24.
  8. Click OK three times.

Set the prefix list:

set prefix-list trusted-addresses 192.168.122.0/24

set prefix-list trusted-addresses 10.2.1.0/24

Navigate to the Firewall level in the configuration hierarchy.

On the main Configuration page next to Firewall, click Configure or Edit.

From the [edit] hierarchy level, enter

edit firewall

Define protect-RE and tcp-connection-term, and define the source prefix list match condition.
  1. Next to Filter, click Add new entry.
  2. In the Filter name box, type protect-RE.
  3. Next to Term, click Add New Entry.
  4. In the Rule name box, type tcp-connection-term.
  5. Next to From, click Configure.
  6. Next to Source prefix list, click Add new entry.
  7. In the Name box, type trusted-addresses.
  8. Click OK.

Set the term name and define the source address match condition:

set family inet filter protect-RE term tcp-connection-term from source-prefix-list trusted-addresses

Define the TCP flags and protocol match conditions for tcp-connection-term.
  1. In the TCP flags box, type (syn & !ack) | fin | rst.
  2. In the Protocol choice list, select Protocol.
  3. Next to Protocol, click Add new entry.
  4. In the Value keyword list, select tcp.
  5. Click OK.

Set the TCP flags and protocol and protocol match conditions for the term:

set family inet filter protect-RE term tcp-connection-term from protocol tcp tcp-flags "(syn & !ack) | fin | rst"

Define the actions for tcp-connection-term.
  1. On the Term tcp-connection-term page, next to Then, click Configure.
  2. In the Policer box, type tcp-connection-policer.
  3. In the Designation list, select Accept.
  4. Click OK twice.

Set the actions:

set family inet filter protect-RE term tcp-connection-term then policer tcp-connection-policer accept

Define icmp-term, and define the protocol.
  1. On the Filter protect-RE page, next to Term, click Add New Entry.
  2. In the Rule name box, type icmp-term.
  3. Next to From, click Configure.
  4. In the Protocol choice list, select Protocol.
  5. Next to Protocol, click Add new entry.
  6. In the Value keyword list, select icmp.
  7. Click OK.

Set the term name and define the protocol:

set family inet filter protect-RE term icmp-term from protocol icmp

Define the ICMP type match conditions.
  1. In the Icmp type choice list, select Icmp type.
  2. Next to Icmp type, click Add new entry.
  3. In the Value keyword list, select echo-request.
  4. Click OK.
  5. Next to Icmp type, click Add new entry.
  6. In the Value keyword list, select echo-reply.
  7. Click OK.
  8. Next to Icmp type, click Add new entry.
  9. In the Value keyword list, select unreachable.
  10. Click OK.
  11. Next to Icmp type, click Add new entry.
  12. In the Value keyword list, select time-exceeded.
  13. Click OK.

Set the ICMP type match conditions:

set family inet filter protect-RE term icmp-term from icmp-type [echo-request echo-reply unreachable time-exceeded]

Define the actions for icmp-term.
  1. On the icmp-term page, next to Then, click Configure.
  2. In the Count box, type icmp-counter.
  3. In the Policer box, type icmp-policer.
  4. In the Designation list, select Accept.
  5. Click OK four times.

Set the actions:

set family inet filter protect-RE term icmp-term then policer icmp-policer count icmp-counter accept

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]