J-series™ Services Router User Guide
Configuring a Routing Engine Firewall Filter to Protect Against TCP and ICMP Floods
The procedure in this section creates a sample stateless firewall filter,
that limits certain TCP and ICMP traffic destined for the Routing Engine. A
router without this kind of protection is vulnerable to TCP and ICMP flood
attacks—also known as denial-of-service (DoS) attacks. For example:
Applying a firewall filter like
against these types of attacks.
For each term in the sample filter, you first create a policer and then incorporate
it into the action of the term. For more information about firewall filter
policers, see the JUNOS Policy Framework Configuration Guide.
If you want to include the terms created in this procedure in the
filter configured in the previous section (see "Configuring a Routing Engine
Firewall Filter for Services and Protocols from Trusted Sources" on page 400),
perform the configuration tasks in this section first, then configure the terms as
described in the previous section. This approach ensures that the rate-limiting
terms are included as the first two terms in the firewall filter.
NOTE: You can move terms within a firewall filter by using the
For more information, see "Inserting an Identifier" on page 152.
Table 157 lists the terms that are configured in this sample filter.
404
Configuring a Stateless Firewall Filter with a Configuration Editor
A TCP flood attack of SYN packets initiating connection requests can so
overwhelm the Services Router that it can no longer process legitimate
connection requests, resulting in denial of service.
An ICMP flood can overload the Services Router with so many echo requests
(ping requests) that it expends all its resources responding and can no longer
process valid network traffic, also resulting in denial of service.
protect-RE
to the Routing Engine protects
insert
,
protect-RE
firewall
protect-RE
CLI command.