Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Aha’s of everyday trouble shooting Stateless firewall filtering in Junos Based on a true story.

Similar presentations


Presentation on theme: "The Aha’s of everyday trouble shooting Stateless firewall filtering in Junos Based on a true story."— Presentation transcript:

1 The Aha’s of everyday trouble shooting Stateless firewall filtering in Junos Based on a true story

2 The Attack High re CPU load Spikes on traffic graphs NTP amplification attack Probably exploiting MONLIST "Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server. For attackers the monlist query is a great reconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic" (https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300)

3 Mitigating the attack Filters in place on loopback interfaces. No ’ntp client-only’ statement in Junos. Still traffic got through?!? Disabled ntp on the routers CPU load got even higher?!? Tcpdump’ed some of the traffic

4 Digging down Dependend on source port Reproduced the problem in the lab Was it a bug? Disabled term’s in the filter one by one Until... term ALLOW-SOME-ICMP { from { icmp-type [ echo-request echo-reply unreachable time-exceeded source-quench ]; } then { policer Policer-1m-100k; accept; }

5 ICMP vs. TCP/UDP ICMP Packet 0151631 IP Header TypeCodeChecksum Data UDP Packet 0151631 IP Header Source portDestination port LengthChecksum Data

6 Juniper vs. Cisco term wtf { from { protocol icmp; source-port 2048; destination-port 30000-65535; } then { count ping; accept; } cisco(config-ext-nacl)#permit ? An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol...//... tcp Transmission Control Protocol udp User Datagram Protocol

7 RTFM Juniper O’Reillys "we recommend that you also configure the protocol icmp match condition in the same term" in "Juniper MX Series" on P158, Douglas Richard Hanks, Jr. and Harry Reynolds warns that failing to include the protocol in the firewall match terms will lead to unpredictable behaviour.

8 The CPU load Junos runs on FreeBSD Default setting in FreeBSD % sysctl -a | grep blackhole net.inet.tcp.blackhole: 0 net.inet.udp.udp_blackhole: 0 0 = Send port unreachable or RST back to sender 1 = Discard the packet

9 ?


Download ppt "The Aha’s of everyday trouble shooting Stateless firewall filtering in Junos Based on a true story."

Similar presentations


Ads by Google