Using Counters to Determine Whether a Router Is Under Attack

Problem

You want to count traffic on an interface to help determine whether a router is under attack.

Solution

If you suspect that an attack includes TCP packets, add a counter to the firewall term that counts all TCP traffic:

	[edit firewall filter protect-RE2 ]
	aviva@RouterF# set term tcp then count tcp-counter 

To have the counter take effect, apply the firewall filter to the router's lo0 interface:

	[edit interfaces]
	aviva@RouterF# set lo0 unit 0 family inet filter input protect-RE2

For more fine-grained counting of the TCP traffic, define additional filter terms:

	[edit firewall filter tcp-flooding ]
	aviva@RouterF# set term syn from protocol tcp 
	aviva@RouterF# set term syn from tcp-flags syn 
	aviva@RouterF# set term syn then count packets-syn 
	aviva@RouterF# set term syn then log 
	aviva@RouterF# set term syn then accept 
	aviva@RouterF# set term  
rst from protocol tcp 
	aviva@RouterF# set term rst from tcp-flags rst 
	aviva@RouterF# set term rst then count packets-rst 
	aviva@RouterF# set term rst then log 
	aviva@RouterF# set term rst then accept 
	aviva@RouterF# set term fin from protocol tcp 
	aviva@RouterF# set term fin from tcp-flags fin 
	aviva@RouterF# set term fin then count packets-fin 
	aviva@RouterF# set term fin then log 
	aviva@RouterF# set term fin then accept 
	aviva@RouterF# set term tcp then count packets-tcp 
	aviva@RouterF# set term tcp then accept 

 

Discussion

If the router comes under attack, the best way to spot the attack is by watching network flows and sampling traffic if necessary. Firewall filters also provide some clues about what is happening. If the attack packets match one of the rate-limited terms, the router will start dropping traffic. If they don't match any term, you will see a sudden increase in any counters that reject traffic (in Recipe 9.16, this is the discarded-packets counter). To determine what types of attack packets the router is receiving, add a counter to the appropriate firewall term.

If your traffic sampling indicates that the attack includes TCP packets, start by counting all the TCP packets. The set term tcp then count tcp-counter command in this recipe adds a counter to the tcp term in Recipe 9.16.

If you determine that a TCP flooding attack of some kind might be underway, you can replace the tcp term with a series of terms that count each type of TCP control packet or you can create a separate filter that does this and apply it to the interface insteadhere, the filter tcp-flooding. The first term, configured with the set term syn commands, matches, counts, logs, and accepts TCP SYN packets. The second and third terms do the same for TCP RST and FIN packets. A final term accepts and counts all the TCP packets.

To help you figure out what's going on with the attack, look at the amount of TCP SYN, RST, and FIN packets received as a percentage of all TCP traffic received (counted in the packets-tcp counter). If the router already has a number of established TCP connections and you suddenly see that TCP RST, FIN, or SYN packets start to make up more than 10 percent of the total TCP packet, this is an indication of unusual and unexpected router activity. You should also check the rate at which the counters are changing. If you use a filter like this to monitor your standard day-to-day traffic when you are not under attack, you will have a better handle on what the normal and unusual TCP packet ratios are on the router.

See Also

Recipe 9.16


Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net