Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Aha’s of everyday trouble shooting Stateless firewall filtering in Junos Based on a true story.

Published byCody Glenn Modified over 8 years ago

Similar presentations

Presentation on theme: "The Aha’s of everyday trouble shooting Stateless firewall filtering in Junos Based on a true story."— Presentation transcript:

1 The Aha’s of everyday trouble shooting Stateless firewall filtering in Junos Based on a true story

2 The Attack High re CPU load Spikes on traffic graphs NTP amplification attack Probably exploiting MONLIST "Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server. For attackers the monlist query is a great reconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic" (https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300)

3 Mitigating the attack Filters in place on loopback interfaces. No ’ntp client-only’ statement in Junos. Still traffic got through?!? Disabled ntp on the routers CPU load got even higher?!? Tcpdump’ed some of the traffic

4 Digging down Dependend on source port Reproduced the problem in the lab Was it a bug? Disabled term’s in the filter one by one Until... term ALLOW-SOME-ICMP { from { icmp-type [ echo-request echo-reply unreachable time-exceeded source-quench ]; } then { policer Policer-1m-100k; accept; }

5 ICMP vs. TCP/UDP ICMP Packet 0151631 IP Header TypeCodeChecksum Data UDP Packet 0151631 IP Header Source portDestination port LengthChecksum Data

6 Juniper vs. Cisco term wtf { from { protocol icmp; source-port 2048; destination-port 30000-65535; } then { count ping; accept; } cisco(config-ext-nacl)#permit ? An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol...//... tcp Transmission Control Protocol udp User Datagram Protocol

7 RTFM Juniper O’Reillys "we recommend that you also configure the protocol icmp match condition in the same term" in "Juniper MX Series" on P158, Douglas Richard Hanks, Jr. and Harry Reynolds warns that failing to include the protocol in the firewall match terms will lead to unpredictable behaviour.

8 The CPU load Junos runs on FreeBSD Default setting in FreeBSD % sysctl -a | grep blackhole net.inet.tcp.blackhole: 0 net.inet.udp.udp_blackhole: 0 0 = Send port unreachable or RST back to sender 1 = Discard the packet

9 ?

Download ppt "The Aha’s of everyday trouble shooting Stateless firewall filtering in Junos Based on a true story."

Similar presentations

CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)

CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.

1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.
ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.

ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.
1 K. Salah Module 5.3: Internet Control Message Protocol Why need ICMP? IP and ICMP ICMP Message Format ICMP Error Reporting messages ICMP Query messages.

1 K. Salah Module 5.3: Internet Control Message Protocol Why need ICMP? IP and ICMP ICMP Message Format ICMP Error Reporting messages ICMP Query messages.
1 ICMP – Using Ping and Trace CCNA Semester 2. 2 172.30.1.20 172.30.1.25.

1 ICMP – Using Ping and Trace CCNA Semester
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Defining the IP Packet Delivery Process INTRO v2.0—4-1.

Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Defining the IP Packet Delivery Process INTRO v2.0—4-1.
ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.

ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.
Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.

Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September 1981. The purpose.

Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.
Network Administration

Network Administration
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 9 Internet Control Message.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 9 Internet Control Message.
Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP)
1 Version 3.1 modified by Brierley Module 8 TCP/IP Suite Error and Control Messages.

1 Version 3.1 modified by Brierley Module 8 TCP/IP Suite Error and Control Messages.
Page 19/13/2015 Chapter 8 Some conditions that must be met for host to host communication over an internetwork: a default gateway must be properly configured.

Page 19/13/2015 Chapter 8 Some conditions that must be met for host to host communication over an internetwork: a default gateway must be properly configured.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Slide 1 2008/2009COMM3380 Routing Algorithms Distance Vector Routing Each node knows the distance (=cost) to its directly connected neighbors A node sends.

Slide /2009COMM3380 Routing Algorithms Distance Vector Routing Each node knows the distance (=cost) to its directly connected neighbors A node sends.

Similar presentations

Ads by Google