Hello all,
I am having a dos attack from one of my Transit providers.
I already have a bogon filter on the router.
I have also tried a blackhole with a bgp community.
The attack still seem to be on.
My config below:
protocols {
bgp {
group {
type external;
Hello,
the question is: What do you want to do?
a) Filter the attacked IP (your IP) by your ISP in terms of blackhole
community. Does your ISP offer this?
If they do you need to announce them this single IP address (/32) with
their community set.
b) You can filter the attack on the interfaces
You should set the firewall filter on interface to your transit to dropped the
packet.
-Original Message-
From: kwarteng kwart...@myzipnet.com
Sender: juniper-nsp-boun...@puck.nether.net
Date: Tue, 5 Apr 2011 13:00:47
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] mitigating dos attack
Hi folks..
Not sure if my subject line reads correctly or not. MX platform running
10.0R3.10
I have eight physical interfaces and want 4 LAG groups (2 interfaces X 4 LAG
groups) - LACP Passive mode.
All 4 LAG groups must belong to the same layer3 network.
I have tried to create
Hello,
The issue is the incoming traffic on my interface has all of a sudden increased
by about 100M.
Input rate : 117310032 bps (11356 pps)
Output rate: 2590056 bps (1863 pps)
I cannot source this huge traffic from anywhere on my network.
I can't figure out my customers IPs which
It depends on just how bad the attack is.
If you can't identify the major sources with something like netflow/cflow, you
might be able to identify the target. I suggest popping the policer on your
customers one by one and take note of who's inbound traffic spikes the most.
Alternatively, if
By family bridge you mean you've also added ae0, ae1, etc to a
bridge-domain and a routing-interface irb? I haven't tried this but I
would attempt to us encapsulation ethernet-bridge on the ae
interface.
Could you post your final working solution to the list or to me off-line?
Thanks,
-b
On
Hi Paul,
Yes, you need to create a bridge domains with respective vlan or vlan's.
Then you insert the aeX on the bridgde domain.
If you need to apply routing on this bridge, you need to create a irb
interface and configure in the bridge the routing-interface.
Best regards,
On Tue, Apr 5,
Something like this allows both l2 and l3 transit on the interface.
ae0 {
description Connection to Blah ae0;
flexible-vlan-tagging;
native-vlan-id 1;
mtu 9192;
gratuitous-arp-reply;
unit 0 {
vlan-id 900;
family inet {
address 10.1.32.1/30;
-Original Message-
From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
boun...@puck.nether.net] On Behalf Of imu...@gmail.com
Sent: Tuesday, April 05, 2011 10:04 AM
To: juniper-nsp-boun...@puck.nether.net; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] mitigating dos
MX80-48T
10.2R3.10
I see this in the logs:
Apr 5 07:38:54 mx80 chassisd[1098]: CHASSISD_BLOWERS_SPEED_MEDIUM:
Fans and impellers being set to intermediate speed
Apr 5 07:39:34 mx80 chassisd[1098]: CHASSISD_BLOWERS_SPEED: Fans and
impellers are now running at normal speed
Apr 5 07:40:14
On Tue, 5 Apr 2011, imu...@gmail.com wrote:
You should set the firewall filter on interface to your transit to
dropped the packet.
Firewall filters are fine as another line of defense, but if the attack is
inbound, particularly if it's intended to be a 'pipe filler', most of the
effect of
We have 5x MX80-48T that all do this so I am interested in the answer too...
--
Regards
Andy Harding
Internet Connections Ltd
Phone: 020 7531 5655
Mobile: 07813 975 459
Fax: 01538 382596
Web: www.inetc.co.uk
Email: a...@inetc.co.uk
___
juniper-nsp
-Original Message-
From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
boun...@puck.nether.net] On Behalf Of kwarteng
Sent: Tuesday, April 05, 2011 10:08 AM
To: 'Jonas Frey (Probe Networks)'
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] mitigating dos attack on
Thanks to everyone for their replies. we are going to put the LAG portion on
standby for now due to time constraints with the project.
Just to reply here though, we cannot have an VLAN tagging - the 8 ports are
all connected to servers that cannot deal with VLAN tags.maybe I'm
misunderstanding
Juniper also supports cool things like this:
prefix-list BGP-Peers {
apply-path protocols bgp group * neighbor *;
}
You'll need to modify it if you have any routing instances with BGP peers.
Jensen Tyler
Network Engineer
Fiberutilities Group, LLC
(319) 364-3200 (office)
(319) 364-8100 (fax)
For now, I just added a config to stop all these entries from filling up the
logs:
file messages {
any info;
authorization info;
match !(.*CHASSISD_BLOWERS_SPEED.*);
explicit-priority;
}
As a work around, is there a way to change
-Original Message-
From: Giuliano Medalha [mailto:giuli...@wztech.com.br]
Sent: Tuesday, April 05, 2011 11:53 AM
To: Stefan Fouant
Cc: kwarteng; Jonas Frey (Probe Networks); juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] mitigating dos attack on Juniper M10i
You can create a RE
-Original Message-
From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
boun...@puck.nether.net] On Behalf Of Stefan Fouant
Sent: Tuesday, April 05, 2011 11:33 AM
To: 'kwarteng'; 'Jonas Frey (Probe Networks)'
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] mitigating
JTAC told me there wasn't. -Serge
- Original Message
From: Bill Blackford bblackf...@gmail.com
To: juniper-nsp@puck.nether.net
Cc: Serge Vautour sergevaut...@yahoo.ca
Sent: Tue, April 5, 2011 1:42:40 PM
Subject: Re: [j-nsp] MX80-48T Fan Speed Variation
For now, I just added a config
I've got 5 of them doing the same thing...not even a warm room.
Used the same config snippet to debloat logs. All SFP-based, but only
have 2 x XFP and a single SFP populated currently. Yanked the fan
tray to test traps, and the thing shut down completely in less than
15mins.
David
On 5
Hi Paul,
Try this:
interfaces {
/* Repeat for all the physical ports you need to put into the respective
aeX LACP groups */
xe-0/2/0 {
description Connection to blah;
gigether-options {
802.3ad ae0;
}
}
ae0 {
aggregated-ether-options {
Hello all,
I have set up a Net flow analyzer to be able to identify the IP being
attacked or the attacking IP.
I however don't seem to have it populated. Even the file on juniper box
doesn't show anything
What am I doing wrong please?
===
run show log /var/tmp/ddos-debug.log
# Apr 5 16:57:04
#
On Tue, Apr 05, 2011 at 12:53:23PM -0600, David Ball wrote:
I've got 5 of them doing the same thing...not even a warm room.
Used the same config snippet to debloat logs.
The logging bloat of JUNOS with a wealth of miscategorized (too high
severity levels) has led me to raise TAC cases. One of
On Tue, Apr 05, 2011 at 11:42:08PM +0200, Daniel Roesen wrote:
JUNOS logging is a desaster. Either you get FAR too much noise (JUNOS
developers love to leave a bouqet of debug messages in there,
miscategorized as something else than debug), or you don't get relevant
things anymore (like
Hey Chris... nice to hear from you! ;)
That makes complete sense now and I really appreciate the detailed
response.. we have left the LAG idea behind at this point (did everything in
a virtual-switch for now) due to time constraints but need to revisit this
in a few weeks...
Warmest regards,
Is firewall filter SAMPLER or BLOCK-FROM-INTERNET doing any type of then
accept on the remainder traffic?
If so, an accept is a terminating action, and no other filters (even
filter-chains) are evaluated; hence filter all is never called.
- Chris.
On 2011-04-06, at 7:32 AM, kwarteng wrote:
You dont really need netflow to find the host attacking if its a simple
attack.
Do this:
jonas@ffm3-edge# show firewall filter attack
term attack {
then {
log;
accept;
}
}
and then apply to your interface:
unit 0 {
family inet {
filter {
input
Anybody have any experience (positive or negative) they can share with the new
RE-S-1800X*? I'm looking at an upcoming MX purchase, and for the price it's
tough to justify sticking with the tried-and-true 1300 or 2000 in favor of the
new REs ... unless the new ones, or the Junos versions they
-Original Message-
From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
boun...@puck.nether.net] On Behalf Of Jonas Frey (Probe Networks)
Sent: Tuesday, April 05, 2011 10:24 PM
To: kwarteng
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] mitigating dos attack on
I haven't seen them yet. I have been running the 2000s on my 960s and they've
served me well (I have lost one in the last two years, but the failover went
very well)
On Apr 5, 2011, at 9:12 PM, Erik Muller wrote:
Anybody have any experience (positive or negative) they can share with the
new
Hello, community.
We're migrating netflow v9 configurations from 9.3R4 to 10.4R3 on MX
platform (w/MS-DPC). In 9.3R4, the sampling rate can be set
individually for each family {inet|inet6|mpls}, but not in 10.4R3. (No
input section completion under [edit forwarding-options sampling
family
32 matches
Mail list logo
