Attack Prevention
It is extremely difficult to actually prevent a DoS attack, since you usually don’t own the network from which the attack is originating. That being said, there are some steps you can take to help prevent attacks from bringing down your network and devices.
Eliminate Unused Services
Disabling or removing services that the device is not using gives you a good start toward defeating attacks. Every active service is listening on an open port. Certain attacks, such as TCP SYN floods, rely on this fact. For example, a TCP SYN flood to TCP port 21 will not succeed if the FTP service on the target device is disabled. Of course, you can’t disable all services—devices legitimately need some in order to function properly and interact with other devices on the network. But there is no good reason to leave unused services running, and leave the device any more open to attack than it needs to be.
Enable Reverse Path Forwarding
Unicast Reverse Path Forwarding (RPF) is a kind of security tool that confirms that traffic is coming from where it’s supposed to be coming from. When a packet arrives at a JUNOS device that is configured to use unicast RPF, the device does a route lookup to determine which path it should use to send return traffic to the originating device. If the packet’s incoming interface matches the interface the router would use to send return traffic, the packet is considered valid; otherwise, the packet is dropped.
Some attacks use IP spoofing as part of their attack, ...
Get JUNOS High Availability now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.