Limiting Traffic on Router Interfaces
Some DoS attacks on routers work by inundating the router with traffic, sending so much traffic to router interfaces so quickly that the interfaces are overwhelmed and can't handle the regular traffic that should be passing through the interface. One method to combat this attack is to use Junos policers, which you can specify when you define the action a firewall filter should take. Policers allow you to place limits on the amount of traffic (or even just a type of traffic) that an interface can receive, which can limit the impact of DoS attacks. Policers control the maximum allowed bandwidth (the average number of bits per second) and the maximum allowed size of a single burst of traffic when the bandwidth limit is exceeded. Any traffic received beyond the set limits is dropped.
Policers are used in the action (then) portion of a firewall filter. To use them in a firewall filter, you first define the policer. The following example creates a policer called police-ssh-telnet that sets a maximum traffic rate (bandwidth) of 1 Mbps and the maximum size of a traffic burst exceeding this limit (burst size) of 25K. Traffic exceeding these limits is discarded.
[edit firewall]
fred@router# set policer police-ssh-telnet if-exceeding bandwidth-limit 1m
[edit firewall]
fred@router# set policer police-ssh-telnet if-exceeding burst-size-limit 25k
[edit firewall]
fred@router# set policer police-ssh-telnet then discard
Then include the policer in ...
Get Junos® OS For Dummies®, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
