DoS Attack Overview
The intent of a denial-of-service (DoS) attack is to overwhelm the targeted victim with a tremendous amount of bogus traffic so that the victim becomes so preoccupied processing the bogus traffic that legitimate traffic cannot be processed. The target can be the firewall, the network resources to which the firewall controls access, or the specific hardware platform or operating system of an individual host.
If a DoS attack originates from multiple source addresses, it is known as a distributed denial-of-service (DDoS) attack. Typically, the source address of a DoS attack is spoofed. The source addresses in a DDoS attack might be spoofed, or the actual addresses of compromised hosts might be used as “zombie agents” to launch the attack.
The device can defend itself and the resources it protects from DoS and DDoS attacks.
Firewall DoS Attacks Overview
The intent of a denial-of-service (DoS) attack is to overwhelm the targeted victim with a tremendous amount of bogus traffic so that the victim becomes so preoccupied processing the bogus traffic that legitimate traffic cannot be processed.
If attackers discover the presence of the Juniper Networks firewall, they might launch a DoS attack against it instead of the network behind it. A successful DoS attack against a firewall amounts to a successful DoS attack against the protected network in that it thwarts attempts of legitimate traffic to traverse the firewall.
An attacker might use session table floods and SYN-ACK-ACK proxy floods to fill up the session table of Junos OS and thereby produce a DoS.
Understanding Firewall Filters on the SRX5000 Module Port Concentrator
The SRX5000 line Module Port Concentrator (SRX5K-MPC) for the SRX5400, SRX5600, and SRX5800 supports a firewall filter to provide filter based forwarding and packet filtering at logical interfaces including the chassis loopback interface. A firewall filter is used to secure networks, to protect Routing Engines and Packet Forwarding Engines, and to ensure class of service (CoS).
The firewall filter provides:
Filter-based forwarding at logical interfaces
Protection of a Routing Engine from DoS attacks
Blocking of certain types of packets to reach a Routing Engine and packet counter
The firewall filter examines packets and performs actions according
to the configured filter policy. The policy is composed of match conditions
and actions. The match conditions cover various fields of Layer 3
packet and Layer 4 header information. In association with the match
conditions, various actions are defined in the firewall filter policy,
and these actions include accept
, discard
, log
counter, and so on.
After configuring the firewall filter, you can apply a logical interface to the firewall filter in the ingress or egress, or in both directions. All packets passing through the logical interface are checked by the firewall filter. As part of the firewall filter configuration, a policer is defined and applied to the logical interface. A policer restricts the traffic bandwidth at the logical interface.
Firewall filtering on an SRX5K-MPC does not support aggregated Ethernet interfaces.
On SRX5400, SRX5600 and SRX5800 devices with an SRX5K-MPC, applying a policer at the loopback (lo0) interface ensures that the Packet Forwarding Engine discards certain types of packets and prevents them from reaching the Routing Engine.