O'Reilly logo

Junos Security by James Quinn, Timothy Eberhard, Patricio Giecco, Brad Woodberg, Rob Cameron

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Advanced Denial-of-Service and Distributed Denial-of-Service Protection

Here we’ll look at various methods in which the SRX can prevent or mitigate advanced DoS and DDoS flooding attacks. A DoS flood is a flood of packets to a host or network that is meant to depredate or reduce the availability of the service/network. There are many types of DoS flooding attacks, but they can be categorized into two main flavors:

Service flood

A DoS flood is an attempt to overrun a system or service with requests (valid or invalid) which overrun the system’s ability to process legitimate requests. An example is an HTTP request flood, as shown in Figure 7-8. The idea of the HTTP flood is to overrun the web server with thousands (or millions) of bogus requests, knocking the website offline and preventing it from serving its customers.

A service flood attack

Figure 7-8. A service flood attack

Bandwidth flood

A bandwidth flood is similar to a service flood, with the exception that the bandwidth flood may not be attacking a single destination; instead, it’s attempting to fill up the network links or network infrastructure’s processing capacity. Typically, you see these types of floods as large UDP packets with spoofed sources, as shown in Figure 7-9. Assuming the destination node or network’s smallest link in the network path is an OC3, which is approximately 155 Mb, to attack the availability of this network and its ability to ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required