Configuring UDP CHARGEN DoS Attack Screen
This topic describes how to configure protection from a UDP CHARGEN DoS attack.
Note:
UDP packet is detected with a source port of 7 and a destination port of 19 is an attack.
To enable detection of a UDP CHARGEN DoS attack:
- Configure interfaces and assign an IP address to interfaces.
[edit] user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.0.2.0/24 user@host# set interfaces ge-0/0/3 unit 0 family inet address 198.51.100.0/24
- Configure security zones
trustZone
anduntrustZone
and assign interfaces to them.[edit] user@host# set security zones security-zone trustZone host-inbound-traffic system-services all user@host# set security zones security-zone trustZone host-inbound-traffic protocols all user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0 user@host# set security zones security-zone untrustZone host-inbound-traffic system-services all user@host# set security zones security-zone untrustZone host-inbound-traffic protocols all user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0
- Configure security policies from
untrustZone
to thetrustZone
with the Junos OS predefined applicationjunos-chargen
.[edit] user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match source-address any user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match destination-address any user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match application junos-chargen user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then deny user@host# set security policies default-policy permit-all
- Configure syslog.
[edit] user@host# set system syslog file syslog any any user@host# set system syslog file syslog archive size 10000000 user@host# set system syslog file syslog structured-data user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-init user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-close
- To allow the packet to reach the destination, change the
policy configuration from
deny
topermit
.[edit] user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then permit
- Commit the configuration.
[edit] user@host# commit