Routing
Routing

Juniper MX firewall filter

09.28.17   |  
3 weeks ago

Hello ,

 

one of my customer is getting an attack with fragmanted packets. I want to drop this connections on MX 

 

http://prntscr.com/gqux06

 

A normal UDP packet has UDP fields normally , but my client is getting traffic without UDP headers in UDP protocol 

 

 

http://prntscr.com/gquxwz

 

how should i block this kind of packets on firewall filter ? 

 

3 REPLIES
Routing

Re: Juniper MX firewall filter

09.29.17   |  
3 weeks ago

Hi,

 

You can try this and check if it solves the issue.

 

[edit]
root@mx480# show firewall family inet filter test
term 1 {
from {
is-fragment;
}
then {
discard;
}
}
term 2 {
then accept;
}

[edit]
root@mx480#

 

apply this filter on the interface.

 

HTH

Routing

Re: Juniper MX firewall filter

[ Edited ]
10.12.17   |  
a week ago

Hi Spdnet,

 

Apply the below firewall filter on loopback if this fragmentation packet is destined to host bound or it is transit then apply it on incoming interface and check it helps

 

MX480# show firewall family inet filter RE-protect
term UDP-fragment {
from {
is-fragment;
protocol udp;
}
then {
discard;
}
}
term allow-all {
then accept;
}

 

If fragment packet is for host-bound traffic then apply the filter on loopback 

 

MX480# show interfaces lo0
unit 0 {
family inet {
filter {
input RE-protect;
}

 

If it is transit then apply it under interface

 

 

MX480# show interfaces xe-0/0/0
unit 0 {
family inet {
filter {
input RE-protect;
}

 

 

Hope this helps

--------------------------------------------------------------------------------------------------------
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
--------------------------------------------------------------------------------------------------------

 

Highlighted
Routing

Re: Juniper MX firewall filter

10.12.17   |  
a week ago

Hello,

if You are talking about fragment packet with offset > 0, then it is NOT supposed to contain UDP header.

Only first fragment has the UDP header.

If You are asking how to drop the fragment packets with offset ==0 that do NOT have UDP header, but instead have some predefined pattern occupying UDP header place, You could use "flexible-offset-filters" on MX

https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-flexible-match-cond...

If You are asking how to drop UDP attack that has no first fragment, then You could use regular FW filter match "from fragment-offset [ X-Y] then discard" (where X is the most commonly seen third fragment start (i.e. 2960) and Y is the fragment end, ie. 65120 or even 65535. This will drop any frags except the first 2, so the attack BW would be reduced but not blocked completely. Legit protocols that use fragmentation are less common in 2017 than it used to be years ago. I could think of:

1/ ISAKMP with 2048-bit and longer certificates

2/ SIP without proxy and with lots of bindings

Years ago it also used to be WAPv1 (udp/9200) but no more.

HTH

Thx
Alex

P.S. The attackers seem to be dumb - they use long fragments. Short fragments are more harmful because of PPS numbers so beware and be prepared.

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !