Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: juniper

How to protect m-series from bad guy

 

 

nsp juniper RSS feed   Index | Next | Previous | View Threaded


hhadiwinoto at hotpop

Mar 28, 2003, 12:11 PM

Post #1 of 5 (628 views)
Permalink
How to protect m-series from bad guy

Hi,

In order to hardern my M-series, I would like to ask you how to configure
M-series to detect anti-dos, tcp-flood, land-attack, or other security
threats.

I have downloaded some security white papers from juniper web site, but
would like to know other resources besides the juniper web site.
Any help would be appreciated. Thanks.


Regards
Hendro



--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .


gillsr at yahoo

Mar 28, 2003, 12:31 PM

Post #2 of 5 (614 views)
Permalink
How to protect m-series from bad guy [In reply to]

Hi Hendro,
Here are a few documents for starters.

JUNOS Secure Template
http://www.qorbit.net/documents/junos-template.pdf
http://www.qorbit.net/documents/junos-template.htm

JUNOS Secure BGP Template
http://www.qorbit.net/documents/junos-bgp-template.pdf
http://www.qorbit.net/documents/junos-bgp-template.htm

JUNOS Secure BGP Application Note
http://www.qorbit.net/documents/junos-bgp-appnote.pdf
http://www.qorbit.net/documents/junos-bgp-appnote.htm

JUNOS Loose ISP Prefix Filter Template
http://www.qorbit.net/documents/junos-isp-prefix-filter-loose.pdf
http://www.qorbit.net/documents/junos-isp-prefix-filter-loose.htm

JUNOS Strict ISP Prefix Filter Template
http://www.qorbit.net/documents/junos-isp-prefix-filter-strict.pdf
http://www.qorbit.net/documents/junos-isp-prefix-filter-strict.htm

Some sample JUNOS configurations for remotely triggered blackhole
filtering can also be found here:
http://www.cymru.com/BGP/bogon-rs.html
http://www.secsup.org/CustomerBlackHole/

Comments and / or suggestions are always appreciated.

Cheers,
Steve, for Team Cymru
http://www.cymru.com/About/teamcymru.html

-- steve
gillsr [at] yahoo


-----Original Message-----
From: juniper-nsp-bounces [at] puck
[mailto:juniper-nsp-bounces [at] puck] On Behalf Of
hhadiwinoto [at] hotpop
Sent: Friday, March 28, 2003 11:12 AM
To: juniper-nsp [at] puck
Subject: [j-nsp] How to protect m-series from bad guy

Hi,

In order to hardern my M-series, I would like to ask you how to
configure
M-series to detect anti-dos, tcp-flood, land-attack, or other security
threats.

I have downloaded some security white papers from juniper web site, but
would like to know other resources besides the juniper web site.
Any help would be appreciated. Thanks.


Regards
Hendro



--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .



_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
http://puck.nether.net/mailman/listinfo/juniper-nsp


mkwilson at uslec

Apr 2, 2003, 10:59 AM

Post #3 of 5 (610 views)
Permalink
How to protect m-series from bad guy [In reply to]

Hello Stephen-
I was looking at the secure junos-template, and I'm a little confused by the
tcp-flood-detect filter. It says to apply this outbound to lo0, and that an
indication of a possible flood attack could be a "high packets-syn to
packets-tcp" ratio. Does this assume that the router is the origin of the
attack? If the attack is originating from another host and targeting the
router, wouldn't we need to count the outbound syn-acks from the router? Or
does the "syn" flag count both syn and syn-ack packets? Good chance I'm
missing something here, but thought I'd ask anyway. Thanks for any
clarifications.

-----Original Message-----
From: Stephen Gill [mailto:gillsr [at] yahoo]
Sent: Friday, March 28, 2003 12:33 PM
To: hhadiwinoto [at] hotpop;
Cc: team-cymru [at] cymru
Subject: RE: [j-nsp] How to protect m-series from bad guy


Hi Hendro,
Here are a few documents for starters.

JUNOS Secure Template
http://www.qorbit.net/documents/junos-template.pdf
http://www.qorbit.net/documents/junos-template.htm

JUNOS Secure BGP Template
http://www.qorbit.net/documents/junos-bgp-template.pdf
http://www.qorbit.net/documents/junos-bgp-template.htm

JUNOS Secure BGP Application Note
http://www.qorbit.net/documents/junos-bgp-appnote.pdf
http://www.qorbit.net/documents/junos-bgp-appnote.htm

JUNOS Loose ISP Prefix Filter Template
http://www.qorbit.net/documents/junos-isp-prefix-filter-loose.pdf
http://www.qorbit.net/documents/junos-isp-prefix-filter-loose.htm

JUNOS Strict ISP Prefix Filter Template
http://www.qorbit.net/documents/junos-isp-prefix-filter-strict.pdf
http://www.qorbit.net/documents/junos-isp-prefix-filter-strict.htm

Some sample JUNOS configurations for remotely triggered blackhole
filtering can also be found here:
http://www.cymru.com/BGP/bogon-rs.html
http://www.secsup.org/CustomerBlackHole/

Comments and / or suggestions are always appreciated.

Cheers,
Steve, for Team Cymru
http://www.cymru.com/About/teamcymru.html

-- steve
gillsr [at] yahoo


-----Original Message-----
From: juniper-nsp-bounces [at] puck
[mailto:juniper-nsp-bounces [at] puck] On Behalf Of
hhadiwinoto [at] hotpop
Sent: Friday, March 28, 2003 11:12 AM
To: juniper-nsp [at] puck
Subject: [j-nsp] How to protect m-series from bad guy

Hi,

In order to hardern my M-series, I would like to ask you how to
configure
M-series to detect anti-dos, tcp-flood, land-attack, or other security
threats.

I have downloaded some security white papers from juniper web site, but
would like to know other resources besides the juniper web site.
Any help would be appreciated. Thanks.


Regards
Hendro



--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .



_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
http://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
http://puck.nether.net/mailman/listinfo/juniper-nsp


gillsr at yahoo

Apr 2, 2003, 4:15 PM

Post #4 of 5 (621 views)
Permalink
How to protect m-series from bad guy [In reply to]

Hi Michael,
The syntax is a logical OR on the bit position in the IP packet.
Checking for the SYN bit will return true if the SYN bit is on no matter
what other bits are set in the packet.

For more details on the firewall filter syntax for tcp-flags I recommend
the following URL:

http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-policy
/html/firewall-config14.html

In theory you could change the policy to be:

tcp-flags "syn & ack";

-- steve

-----Original Message-----
From: Wilson, Michael [mailto:mkwilson [at] uslec]
Sent: Wednesday, April 02, 2003 10:01 AM
To: 'Stephen Gill'; 'juniper-nsp [at] puck'
Cc: team-cymru [at] cymru
Subject: RE: [j-nsp] How to protect m-series from bad guy

Hello Stephen-
I was looking at the secure junos-template, and I'm a little confused by
the
tcp-flood-detect filter. It says to apply this outbound to lo0, and
that an
indication of a possible flood attack could be a "high packets-syn to
packets-tcp" ratio. Does this assume that the router is the origin of
the
attack? If the attack is originating from another host and targeting
the
router, wouldn't we need to count the outbound syn-acks from the router?
Or
does the "syn" flag count both syn and syn-ack packets? Good chance I'm
missing something here, but thought I'd ask anyway. Thanks for any
clarifications.

-----Original Message-----
From: Stephen Gill [mailto:gillsr [at] yahoo]
Sent: Friday, March 28, 2003 12:33 PM
To: hhadiwinoto [at] hotpop;
Cc: team-cymru [at] cymru
Subject: RE: [j-nsp] How to protect m-series from bad guy


Hi Hendro,
Here are a few documents for starters.

JUNOS Secure Template
http://www.qorbit.net/documents/junos-template.pdf
http://www.qorbit.net/documents/junos-template.htm

JUNOS Secure BGP Template
http://www.qorbit.net/documents/junos-bgp-template.pdf
http://www.qorbit.net/documents/junos-bgp-template.htm

JUNOS Secure BGP Application Note
http://www.qorbit.net/documents/junos-bgp-appnote.pdf
http://www.qorbit.net/documents/junos-bgp-appnote.htm

JUNOS Loose ISP Prefix Filter Template
http://www.qorbit.net/documents/junos-isp-prefix-filter-loose.pdf
http://www.qorbit.net/documents/junos-isp-prefix-filter-loose.htm

JUNOS Strict ISP Prefix Filter Template
http://www.qorbit.net/documents/junos-isp-prefix-filter-strict.pdf
http://www.qorbit.net/documents/junos-isp-prefix-filter-strict.htm

Some sample JUNOS configurations for remotely triggered blackhole
filtering can also be found here:
http://www.cymru.com/BGP/bogon-rs.html
http://www.secsup.org/CustomerBlackHole/

Comments and / or suggestions are always appreciated.

Cheers,
Steve, for Team Cymru
http://www.cymru.com/About/teamcymru.html

-- steve
gillsr [at] yahoo


-----Original Message-----
From: juniper-nsp-bounces [at] puck
[mailto:juniper-nsp-bounces [at] puck] On Behalf Of
hhadiwinoto [at] hotpop
Sent: Friday, March 28, 2003 11:12 AM
To: juniper-nsp [at] puck
Subject: [j-nsp] How to protect m-series from bad guy

Hi,

In order to hardern my M-series, I would like to ask you how to
configure
M-series to detect anti-dos, tcp-flood, land-attack, or other security
threats.

I have downloaded some security white papers from juniper web site, but
would like to know other resources besides the juniper web site.
Any help would be appreciated. Thanks.


Regards
Hendro



--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .



_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
http://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
http://puck.nether.net/mailman/listinfo/juniper-nsp


mkwilson at uslec

Apr 4, 2003, 9:23 AM

Post #5 of 5 (617 views)
Permalink
How to protect m-series from bad guy [In reply to]

Thank you. It makes more sense now.

-----Original Message-----
From: Stephen Gill [mailto:gillsr [at] yahoo]
Sent: Wednesday, April 02, 2003 4:17 PM
To: Wilson, Michael; juniper-nsp [at] puck
Cc: team-cymru [at] cymru
Subject: RE: [j-nsp] How to protect m-series from bad guy


Hi Michael,
The syntax is a logical OR on the bit position in the IP packet.
Checking for the SYN bit will return true if the SYN bit is on no matter
what other bits are set in the packet.

For more details on the firewall filter syntax for tcp-flags I recommend
the following URL:

http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-policy
/html/firewall-config14.html

In theory you could change the policy to be:

tcp-flags "syn & ack";

-- steve

-----Original Message-----
From: Wilson, Michael [mailto:mkwilson [at] uslec]
Sent: Wednesday, April 02, 2003 10:01 AM
To: 'Stephen Gill'; 'juniper-nsp [at] puck'
Cc: team-cymru [at] cymru
Subject: RE: [j-nsp] How to protect m-series from bad guy

Hello Stephen-
I was looking at the secure junos-template, and I'm a little confused by
the
tcp-flood-detect filter. It says to apply this outbound to lo0, and
that an
indication of a possible flood attack could be a "high packets-syn to
packets-tcp" ratio. Does this assume that the router is the origin of
the
attack? If the attack is originating from another host and targeting
the
router, wouldn't we need to count the outbound syn-acks from the router?
Or
does the "syn" flag count both syn and syn-ack packets? Good chance I'm
missing something here, but thought I'd ask anyway. Thanks for any
clarifications.

-----Original Message-----
From: Stephen Gill [mailto:gillsr [at] yahoo]
Sent: Friday, March 28, 2003 12:33 PM
To: hhadiwinoto [at] hotpop;
Cc: team-cymru [at] cymru
Subject: RE: [j-nsp] How to protect m-series from bad guy


Hi Hendro,
Here are a few documents for starters.

JUNOS Secure Template
http://www.qorbit.net/documents/junos-template.pdf
http://www.qorbit.net/documents/junos-template.htm

JUNOS Secure BGP Template
http://www.qorbit.net/documents/junos-bgp-template.pdf
http://www.qorbit.net/documents/junos-bgp-template.htm

JUNOS Secure BGP Application Note
http://www.qorbit.net/documents/junos-bgp-appnote.pdf
http://www.qorbit.net/documents/junos-bgp-appnote.htm

JUNOS Loose ISP Prefix Filter Template
http://www.qorbit.net/documents/junos-isp-prefix-filter-loose.pdf
http://www.qorbit.net/documents/junos-isp-prefix-filter-loose.htm

JUNOS Strict ISP Prefix Filter Template
http://www.qorbit.net/documents/junos-isp-prefix-filter-strict.pdf
http://www.qorbit.net/documents/junos-isp-prefix-filter-strict.htm

Some sample JUNOS configurations for remotely triggered blackhole
filtering can also be found here:
http://www.cymru.com/BGP/bogon-rs.html
http://www.secsup.org/CustomerBlackHole/

Comments and / or suggestions are always appreciated.

Cheers,
Steve, for Team Cymru
http://www.cymru.com/About/teamcymru.html

-- steve
gillsr [at] yahoo


-----Original Message-----
From: juniper-nsp-bounces [at] puck
[mailto:juniper-nsp-bounces [at] puck] On Behalf Of
hhadiwinoto [at] hotpop
Sent: Friday, March 28, 2003 11:12 AM
To: juniper-nsp [at] puck
Subject: [j-nsp] How to protect m-series from bad guy

Hi,

In order to hardern my M-series, I would like to ask you how to
configure
M-series to detect anti-dos, tcp-flood, land-attack, or other security
threats.

I have downloaded some security white papers from juniper web site, but
would like to know other resources besides the juniper web site.
Any help would be appreciated. Thanks.


Regards
Hendro



--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .



_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
http://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
http://puck.nether.net/mailman/listinfo/juniper-nsp

nsp juniper RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.