Create automaticaly session-dump if a specific treshold is reached

packermann · ‎02-12-2010

Hi,

I haven't done anything so far with Junosscripting, but I need something that can initiate a session-dump on my SRX650-cluster as soon as the current sessions reach a treshold of 400000 sessions. We need this as we are facing from time to time DDoS-attacks that exceed the maximum sessions. At the moment we login to the srx in such an event and manualy fire-up a "show security flow session | no-more | save filename". This way we lose some time that could be usefull for us. After about 5-10 minutes we copy the dump over to a linux-box and analyse it to get the target-ip of the DDoS to block it by firewall-filters. We have to stop the session-dump after only 5-10 minutes as a full dump takes some hours to be done the way we are doing it. As an optimum we woulkd have a script, that generates the sessiondump and writes it directly to the linux-box. I don't know if there would also be a possibility to get the dump any faster.

Don't you wish there was a knob on the TV to turn up the intelligence? There's one marked 'Brightness,' but it doesn't work.

Mattia · ‎03-17-2010

Hi Packermann,

maybe you have already tried it, but I'll ask you anyway :-)

Did you try to prevent the session table flood using the session limit feature of the SRX (under ids-option)?

.................................................................................
JNCIP-ENT, JNCIS-SEC
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)

packermann · ‎02-12-2010

Hi Mattia,

thanks for the advise, but session-limit is a no-go in our situation, as the maximum value is just 20000 and we have customers that have much more regular sessions to one single IP.

Don't you wish there was a knob on the TV to turn up the intelligence? There's one marked 'Brightness,' but it doesn't work.

Mattia · ‎03-17-2010

Hi Packermann,

I think you can use event-policies to accomplish your goal; first of all you will have to define a destination, i.e. the place in which you will store the session dump:

[edit event-options]
destinations {
UPLOAD-SERVER {
transfer-delay seconds;
archive-sites {
url password password;
}
}
}

Then you can try to intercept (through an event-policy) the event IDP_APPDDOS_APP_ATTACK_EVENT, and then launch the appropriate operational command uploading its output to the previously defined destination:

[edit event-options]
policy DDOS-SESSION-DUMP{
events IDP_APPDDOS_APP_ATTACK_EVENT;
then {
execute-commands {
commands {
"show security flow session | no-more";
}
output-filename ddps-session.log;
output-format text;
destination UPLOAD-SERVER;
}
}
}

I hope this helps, I did not test it though... For further information about event-policies, I suggest you to refer to the "Configuration and Diagnostic Automation Guide".

Let me know if it works!

Mattia

.................................................................................
JNCIP-ENT, JNCIS-SEC
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)

Create automaticaly session-dump if a specific treshold is reached

Re: Create automaticaly session-dump if a specific treshold is reached

Re: Create automaticaly session-dump if a specific treshold is reached

Re: Create automaticaly session-dump if a specific treshold is reached