Transcript The Aha`s of everyday trouble shooting

The Aha’s of everyday trouble
shooting
Stateless firewall filtering in Junos
Based on a true story
The Attack
•
•
•
•
High re CPU load
Spikes on traffic graphs
NTP amplification attack
Probably exploiting MONLIST
"Monlist is a remote command in older version of NTP that sends the
requester a list of the last 600 hosts who have connected to that server.
For attackers the monlist query is a great reconnaissance tool. For a
localized NTP server it can help to build a network profile. However, as
a DDoS tool, it is even better because a small query can redirect
megabytes worth of traffic"
(https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300)
Mitigating the attack
•
•
•
•
•
•
Filters in place on loopback interfaces.
No ’ntp client-only’ statement in Junos.
Still traffic got through?!?
Disabled ntp on the routers
CPU load got even higher?!?
Tcpdump’ed some of the traffic
Digging down
•
•
•
•
•
Dependend on source port
Reproduced the problem in the lab
Was it a bug?
Disabled term’s in the filter one by one
Until...
term ALLOW-SOME-ICMP {
from {
icmp-type [ echo-request echo-reply unreachable time-exceeded source-quench ];
}
then {
policer Policer-1m-100k;
accept;
}
}
ICMP vs. TCP/UDP
ICMP Packet
0
15
16
31
IP Header
Type
Code
Checksum
Data
UDP Packet
0
15
16
31
IP Header
Source port
Destination port
Length
Checksum
Data
Juniper vs. Cisco
term wtf {
from {
protocol icmp;
source-port 2048;
destination-port 30000-65535;
}
then {
count ping;
accept;
}
}
cisco(config-ext-nacl)#permit ?
<0-255>
An IP protocol number
ahp
Authentication Header Protocol
eigrp
Cisco's EIGRP routing protocol
...//...
tcp
Transmission Control Protocol
udp
User Datagram Protocol
RTFM
• Juniper
"we recommend that you also configure the protocol icmp
match condition in the same term"
• O’Reillys
in "Juniper MX Series" on P158, Douglas Richard Hanks, Jr. and
Harry Reynolds warns that failing to include the protocol in the firewall
match terms will lead to unpredictable behaviour.
The CPU load
• Junos runs on FreeBSD
• Default setting in FreeBSD
% sysctl -a | grep blackhole
net.inet.tcp.blackhole: 0
net.inet.udp.udp_blackhole: 0
0 = Send port unreachable or RST back to sender
1 = Discard the packet
?