Taking Action When a DoS Attack Occurs
When you determine that a DoS attack is occurring, there is very little chance that you can do much to stop the attack itself. But there are a few ways you can block the traffic from getting to the target device.
Using Filtering to Block DoS Attacks
The most obvious step you can take to block the attack is to use firewall filters. The exact solution will depend on the type and scope of the attack, but a good general approach is to use filters similar to the ones you used to detect the attack in the first place.
Here is a filter similar to the ICMP filter shown earlier, but with a slight variation:
[edit]
lab@r1# show firewall family inet filter discard-icmp
term A {
from {
destination-address {
192.168.28.1/32;
}
protocol icmp;
}
then {
count icmp-counter;
log;
discard;
}
}
term B {
then accept;
}In the preceding example, a filter called discard-icmp has many of the same parameters
as the check-for-icmp filter, but
with a key difference: ICMP traffic destined for the server is now
dropped. Once you apply this filter outbound on the server-facing
interface, the attack will be blocked.
Note
Do not deny traffic with the reject command. Rejecting traffic causes the
JUNOS device to respond with an ICMP message of its own for each
packet that matches the filter. This means the device generates as
much traffic as it receives during the attack, which doesn’t help the
situation!
You can implement the same solution for TCP SYN attacks, using a variation of ...