March 2008
Intermediate to advanced
816 pages
25h 6m
English
Content preview from JUNOS Enterprise Routing
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
Spoof Prevention (uRPF)
Many distributed DoS attacks take advantage of address “spoofing” by randomly selecting an address in the source field of IP packets. In some attacks, this source address is deterministic to the target network under attack. In other words, this address will be taken out of the network’s address block to create attacks on other internal machines generating ICMP error messages or other traffic back to the spoofed addresses. You can protect yourself from these types of attacks by applying ingress filtering at the edge of your network, which denies incoming packets with addresses out of the network’s address block. This filtering has traditionally been solved with an inbound packet filter.
Referring back to the topology in Figure 6-2, note that three internal address blocks are
assigned to PBR, Ale, and Bock’s network:
| 10.10.128/22 |
| 10.20.128/22 |
| 10.10.12/22 |
So, a simple filter would deny any addresses from those address
blocks coming from the WAN connection off PBR:
[edit firewall]
lab@PBR#show
family inet {
filter spoof-prevention {
term my-addresses {
from {
source-address {
10.10.128.0/22;
10.20.128.0/22;
10.10.12.0/22;
}
}
then {
count spoofs;
log;
discard;
}
}
term allow-rest {
then count no-spoof;
}
}
}Apply the firewall filter as an input filter on fe-0/0/0.412 and fe-0/0/0.413:
lab@PBR#show interfaces fe-0/0/0 vlan-tagging; unit 412 { description PBR-to-Wheat; vlan-id 412; family inet { filter { input-list spoof-prevention; } address 172.16.1.2/24; } } unit 413 ...Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.