O'Reilly logo

Junos Enterprise Routing, 2nd Edition by Harry Reynolds, Peter Southwick, Doug Marschke

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Spoof Prevention (uRPF)

Many distributed DoS attacks take advantage of address “spoofing” by randomly selecting an address in the source field of IP packets. In some attacks, this source address is deterministic to the target network under attack. In other words, this address will be taken out of the network’s address block to create attacks on other internal machines generating ICMP error messages or other traffic back to the spoofed addresses. You can protect yourself from these types of attacks by applying ingress filtering at the edge of your network, which denies incoming packets with addresses out of the network’s address block. This filtering has traditionally been solved with an inbound packet filter.

Referring back to the topology in Figure 8-2, note that three internal address blocks are assigned to PBR, Ale, and Bock’s network:

10.10.128/22
10.20.128/22
10.10.12/22

So, a simple filter would deny any addresses from those address blocks coming from the WAN connection off PBR:

[edit firewall]
lab@PBR# show
family inet {
    filter spoof-prevention {
        term my-addresses {
            from {
                source-address {
                    10.10.128.0/22;
                    10.20.128.0/22;
                    10.10.12.0/22;
                }
            }
            then {
                count spoofs;
                log;
                discard;
            }
        }
        term allow-rest {
            then count no-spoof;
        }
    }
}

Apply the firewall filter as an input filter on ge-0/0/0.412 and ge-0/0/0.413:

lab@PBR# show interfaces ge-0/0/0 vlan-tagging; unit 412 { description PBR-to-Wheat; vlan-id 412; family inet { filter { input-list spoof-prevention; } address 172.16.1.2/24; } } unit ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required