Re: ICANN Targets DDoS Attacks

[Jared Mauch <jared () puck Nether net>]

On Tue, Oct 29, 2002 at 04:31:50PM -0500, Jared Mauch wrote:
> On Tue, Oct 29, 2002 at 01:24:11PM -0800, Dan Lockwood wrote:
> > Would anyone be willing to post an operational example of CAR for ICMP.
> > I would like to see what others are doing to combat the problem.
> >
> > Dan
>
> rate-limit input access-group 2000 1536000 200000 200000 conform-action transmit exceed-action drop
>
>
> access-list 2000 permit icmp any any echo
> access-list 2000 permit icmp any any echo-reply
>
>
> POS0/1 <peer interface>
>   Input   
>     matches: access-group 2000
>       params:  1536000 bps, 200000 limit, 200000 extended limit
>       conformed 96374566 packets, 19474M bytes; action: transmit
>       exceeded 16609350 packets, 1446M bytes; action: drop
>       last packet: 28ms ago, current burst: 0 bytes
>       last cleared 7w5d ago, conformed 33230 bps, exceeded 2467 bps
> POS0/2 <peer interface>
>   Input   
>     matches: access-group 2000
>       params:  1536000 bps, 200000 limit, 200000 extended limit
>       conformed 37773899 packets, 6325M bytes; action: transmit
>       exceeded 5222953 packets, 399165438 bytes; action: drop
>       last packet: 52ms ago, current burst: 0 bytes
>       last cleared 7w5d ago, conformed 10794 bps, exceeded 681 bps
>
>       As you can see by looking at your 'current burst'
> information, you can find out if there is an active attack/exceeding.
>
>       These rates are typically quite low as you can see.

        here is a juniper example:

firewall {
    filter icmp-car-ge-6-1-0 {
        policer echo-reply-ge-6-1-0 {
            if-exceeding {
                bandwidth-limit 2250000;
                burst-size-limit 256k;
            }
            then discard;
        }
        term icmp-echo-reply {
            from {
                protocol icmp;
                icmp-type [ echo-request echo-reply ];
            }
            then {
                count echo-reply-ct-ge-6-1-0;
                policer echo-reply-ge-6-1-0;
                accept;
            }
        }
        term remainder {
            then accept;
        }
    }
}

        You need to do per-interface buckets on juniper otherwise
it will do an overall aggregate.

        You then would also set a input (or output) filter on
the interface to match the firewall filter.

eg:

# show interfaces ge-6/1/0 
description "Exchange Interface";
link-mode full-duplex;
unit 0 {
    family inet {
        no-redirects;
        filter {
            input icmp-car-ge-6-1-0;
        }
        address 10.1.2.3/24 {
            primary;
        }
    }
}
-- snip --


-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.