Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

DoS Attack Overview

A denial-of-service (DoS) attack aims to overwhelm the victim with bogus traffic. This overload prevents the processing of legitimate traffic. The target can be the firewall, the network resources to which the firewall controls access, or the specific hardware platform or operating system of an individual host.

If a DoS attack originates from multiple source addresses, it is known as a distributed denial-of-service (DDoS) attack. Typically, the source address of a DoS attack is spoofed. DDoS attacks might involve spoofed source addresses or use actual addresses of compromised hosts as “zombie agents” to launch the attack.

The device can defend itself and the resources it protects from DoS and DDoS attacks.

Use Feature Explorer to confirm platform and release support for specific features.

Review the Platform-Specific DoS Attack Behavior section for notes related to your platform.

Firewall DoS Attacks Overview

A DoS attack floods the victim with bogus traffic, hindering the processing of legitimate traffic.

If attackers discover the presence of the Juniper Networks firewall, the attackers might launch a DoS attack against it instead of the network behind it. A successful DoS attack against a firewall amounts to a successful DoS attack against the protected network in that it thwarts attempts of legitimate traffic to traverse the firewall.

An attacker might use session table floods and SYN-ACK-ACK proxy floods to fill up the session table of Junos OS and thereby produce a DoS.

Understanding Firewall Filters on the SRX5000 Module Port Concentrator

The SRX5000 line Module Port Concentrator (SRX5K-MPC) for the SRX5400, SRX5600, and SRX5800 supports a firewall filter. It provides filter based forwarding (FBF) and packet filtering at logical interfaces including the chassis loopback interface. A firewall filter is used to secure networks, to protect Routing Engines and Packet Forwarding Engines, and to ensure class of service (CoS).

The firewall filter provides:

  • FBF at logical interfaces

  • Protection of a Routing Engine from DoS attacks

  • Blocking of certain types of packets to reach a Routing Engine and packet counter

The firewall filter examines packets and performs actions according to the configured filter policy. The policy is composed of match conditions and actions. The match conditions cover various fields of Layer 3 packet and Layer 4 header information. In association with the match conditions, various actions are defined in the firewall filter policy, and these actions include accept, discard, log counter, and so on.

After configuring the firewall filter, you can apply a logical interface to the firewall filter in the ingress or egress, or in both directions. All packets passing through the logical interface are checked by the firewall filter. As part of the firewall filter configuration, a policer is defined and applied to the logical interface. A policer restricts the traffic bandwidth at the logical interface.

Platform-Specific DoS Attack Behavior

Use Feature Explorer to confirm platform and release support for specific features.

Use the following table to review platform-specific behaviors for your platform.

Table 1: Platform-Specific Behavior

Platform

Difference

SRX Series Firewalls

  • SRX5000 line of devices with an SRX5K-MPC that support DoS attack:

    • Apply a policer at the loopback (lo0) interface. It ensures that the Packet Forwarding Engine discards certain types of packets and prevents those packets from reaching the Routing Engine.

    • Firewall filtering on an SRX5K-MPC does not support aggregated Ethernet interfaces.

Related Documentation